From 16514a1f1c9ad4b27b509da59f1e64418958a44e Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 13 Aug 2020 09:18:05 -0500
Subject: [PATCH 01/90] bumping version for 1.x release branch (#921)

---
 code/go/ecs/version.go                  |    2 +-
 docs/fields.asciidoc                    |    2 +-
 docs/index.asciidoc                     |    2 +-
 generated/beats/fields.ecs.yml          |    2 +-
 generated/csv/fields.csv                | 1344 +++++++++++------------
 generated/elasticsearch/6/template.json |    2 +-
 generated/elasticsearch/7/template.json |    2 +-
 version                                 |    2 +-
 8 files changed, 679 insertions(+), 679 deletions(-)

diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go
index 8ccedee43b..ceb8cf7d1d 100644
--- a/code/go/ecs/version.go
+++ b/code/go/ecs/version.go
@@ -20,4 +20,4 @@
 package ecs
 
 // Version is the Elastic Common Schema version from which this was generated.
-const Version = "1.6.0-dev"
+const Version = "1.7.0-dev"
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
index 9200f84a2a..1de0fae653 100644
--- a/docs/fields.asciidoc
+++ b/docs/fields.asciidoc
@@ -2,7 +2,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 1.6.0-dev.
+This is the documentation of ECS version 1.7.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 809916f660..c71023e83a 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -8,7 +8,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 1.6.0-dev.
+This is the documentation of ECS version 1.7.0-dev.
 
 [float]
 === What is ECS?
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1b2d7679cd..d3a48009c1 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.6.0-dev.
+# based on ECS version 1.7.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 45ef39de6b..ba520eba06 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,673 +1,673 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.6.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.6.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.6.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.6.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.6.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.6.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.6.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.6.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.6.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.6.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.6.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-1.6.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.6.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.6.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.6.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.6.0-dev,true,client,client.domain,keyword,core,,,Client domain.
-1.6.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.6.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.6.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.6.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.6.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.6.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.6.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.6.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.6.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.6.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
-1.6.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.6.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-1.6.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.6.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.6.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.6.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.6.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.6.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-1.6.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.6.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.6.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
-1.6.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.6.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.6.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.6.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.6.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.6.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.6.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.6.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.6.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.6.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.6.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.6.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.6.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-1.6.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.6.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.6.0-dev,true,container,container.labels,object,extended,,,Image labels.
-1.6.0-dev,true,container,container.name,keyword,extended,,,Container name.
-1.6.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.6.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.6.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.6.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.6.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.6.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.6.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
-1.6.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.6.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.6.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.6.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.6.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.6.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.6.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.6.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.6.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.6.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
-1.6.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.6.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.6.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.6.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.6.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.6.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.6.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.6.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-1.6.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.6.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.6.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
-1.6.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.6.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.6.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.6.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.6.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.6.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.6.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.6.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.6.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.6.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.6.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.6.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.6.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.6.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.6.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.6.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.6.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.6.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.6.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.6.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.6.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.6.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-1.6.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.6.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.6.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.6.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags.
-1.6.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.6.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.6.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.6.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-1.6.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.6.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.6.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.6.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.6.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data
-1.6.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.6.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.6.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.6.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-1.6.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.6.0-dev,true,error,error.message,text,core,,,Error message.
-1.6.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
-1.6.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.6.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.6.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.6.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.6.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.6.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.6.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.6.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.6.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.6.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.6.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.6.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.6.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.6.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.6.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.6.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.6.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.6.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.6.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.6.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.6.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.6.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.6.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.6.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.6.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.6.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.6.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.6.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.6.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.6.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.6.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.6.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.6.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.6.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.6.0-dev,true,file,file.created,date,extended,,,File creation time.
-1.6.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.6.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.6.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-1.6.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.6.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
-1.6.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.6.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.6.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.6.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.6.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.6.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.6.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.6.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.6.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.6.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.6.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.6.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.6.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.6.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.6.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.6.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.6.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.6.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.6.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.6.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.6.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.6.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.6.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-1.6.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.6.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.6.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.6.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.6.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.6.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.6.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.6.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.6.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.6.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.6.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.6.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.6.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.6.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.6.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.6.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.6.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.6.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.6.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.6.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.6.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.6.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.6.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.6.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.6.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.6.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.6.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.6.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-1.6.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-1.6.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.6.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
-1.6.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-1.6.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.6.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.6.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.6.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.6.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.6.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.6.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.6.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.6.0-dev,true,host,host.type,keyword,core,,,Type of host.
-1.6.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.6.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.6.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
-1.6.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.6.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.6.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
-1.6.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.6.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.6.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.6.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
-1.6.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.6.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.6.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.6.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.6.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.6.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
-1.6.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.6.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.6.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.6.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.6.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.6.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.6.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.6.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.6.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.6.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.6.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.6.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-1.6.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.6.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.6.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.6.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.6.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.6.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.6.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.6.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.6.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.6.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.6.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.6.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.6.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.6.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.6.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.6.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.6.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.6.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.6.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.6.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.6.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.6.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.6.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.6.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.6.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.6.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.6.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.6.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.6.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.6.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.6.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.6.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.6.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.6.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.6.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.6.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.6.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.6.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.6.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.6.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.6.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.6.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.6.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.6.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.6.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.6.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
-1.6.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.6.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.6.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.6.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.6.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.6.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.6.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.6.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.6.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.6.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.6.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.6.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.6.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.6.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-1.6.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.6.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-1.6.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
-1.6.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.6.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.6.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.6.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.6.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.6.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-1.6.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.6.0-dev,true,package,package.name,keyword,extended,,go,Package name
-1.6.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.6.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.6.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.6.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-1.6.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.6.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
-1.6.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.6.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.6.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.6.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.6.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.6.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.6.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.6.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.6.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.6.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.6.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.6.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.6.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.6.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.6.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.6.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.6.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-1.6.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.6.0-dev,true,process,process.parent.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
-1.6.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.6.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.6.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.6.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.6.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.6.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.6.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.6.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.6.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.6.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.6.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.6.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.6.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.6.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.6.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.6.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.6.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-1.6.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.6.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.6.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.6.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.6.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.6.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.6.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.6.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.6.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.6.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-1.6.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.6.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.6.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.6.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-1.6.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-1.6.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
-1.6.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.6.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-1.6.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.6.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.6.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.6.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.6.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.6.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.6.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.6.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.6.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.6.0-dev,true,process,process.pid,long,core,,4242,Process id.
-1.6.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.6.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.6.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.6.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-1.6.0-dev,true,process,process.title,keyword,extended,,,Process title.
-1.6.0-dev,true,process,process.title.text,text,extended,,,Process title.
-1.6.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.6.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-1.6.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.6.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.6.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.6.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.6.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.6.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.6.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
-1.6.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.6.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.6.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.6.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.6.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.6.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.6.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.6.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.6.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.6.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-1.6.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.6.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.6.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.6.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.6.0-dev,true,server,server.domain,keyword,core,,,Server domain.
-1.6.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.6.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.6.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.6.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.6.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.6.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.6.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.6.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.6.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.6.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
-1.6.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.6.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-1.6.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.6.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.6.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.6.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.6.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.6.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-1.6.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.6.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.6.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
-1.6.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.6.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.6.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.6.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.6.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.6.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.6.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-1.6.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.6.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.6.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-1.6.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.6.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.6.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.6.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.6.0-dev,true,source,source.domain,keyword,core,,,Source domain.
-1.6.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.6.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.6.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.6.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.6.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.6.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.6.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.6.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.6.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.6.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
-1.6.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.6.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-1.6.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.6.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.6.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.6.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.6.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.6.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-1.6.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.6.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.6.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
-1.6.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.6.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.6.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.6.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.6.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
-1.6.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
-1.6.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
-1.6.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
-1.6.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
-1.6.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
-1.6.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
-1.6.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.6.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.6.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.6.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.6.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.6.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.6.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.6.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.6.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.6.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.6.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.6.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.6.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello.
-1.6.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.6.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.6.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.6.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.6.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.6.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.6.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.6.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.6.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.6.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.6.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.6.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.6.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.6.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.6.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.6.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.6.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.6.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.6.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.6.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.6.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.6.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.6.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.6.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.6.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.6.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.6.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.6.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.6.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.6.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.6.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.6.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.6.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.6.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.6.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.6.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.6.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.6.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.6.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.6.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.6.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.6.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.6.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.6.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.6.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.6.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.6.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.6.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.6.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.6.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.6.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.6.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.6.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.6.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.6.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.6.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.6.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.6.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.6.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.6.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-1.6.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
-1.6.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.6.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.6.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.6.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.6.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.6.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.6.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
-1.6.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.6.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.6.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.6.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.6.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.6.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-1.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.6.0-dev,true,user,user.email,keyword,extended,,,User email address.
-1.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.6.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.6.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.6.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.6.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.6.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.6.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
-1.6.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.6.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.6.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.6.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.6.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.6.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.6.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.6.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.6.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.6.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.6.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.6.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.6.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.6.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.6.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.6.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.6.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.6.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.6.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.6.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.7.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.7.0-dev,true,client,client.domain,keyword,core,,,Client domain.
+1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.7.0-dev,true,client,client.port,long,core,,,Port of the client.
+1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+1.7.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
+1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.7.0-dev,true,container,container.labels,object,extended,,,Image labels.
+1.7.0-dev,true,container,container.name,keyword,extended,,,Container name.
+1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.7.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
+1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+1.7.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
+1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags.
+1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.7.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data
+1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.7.0-dev,true,error,error.message,text,core,,,Error message.
+1.7.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
+1.7.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.7.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.7.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,file,file.created,date,extended,,,File creation time.
+1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
+1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.7.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+1.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.7.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.7.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.7.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.7.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.7.0-dev,true,host,host.type,keyword,core,,,Type of host.
+1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
+1.7.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
+1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.7.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
+1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
+1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.7.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.7.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.7.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.7.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
+1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name
+1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.7.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.7.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.7.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.7.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
+1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.7.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
+1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.7.0-dev,true,process,process.title,keyword,extended,,,Process title.
+1.7.0-dev,true,process,process.title.text,text,extended,,,Process title.
+1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.7.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.7.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.7.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.7.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
+1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.7.0-dev,true,server,server.domain,keyword,core,,,Server domain.
+1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.7.0-dev,true,server,server.port,long,core,,,Port of the server.
+1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+1.7.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
+1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.7.0-dev,true,source,source.domain,keyword,core,,,Source domain.
+1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.7.0-dev,true,source,source.port,long,core,,,Port of the source.
+1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+1.7.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
+1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
+1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
+1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
+1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
+1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
+1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello.
+1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.7.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.7.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.7.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.7.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+1.7.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
+1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,user,user.email,keyword,extended,,,User email address.
+1.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.7.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.7.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.7.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 45973e04e4..4d2f5c6b90 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -5,7 +5,7 @@
   "mappings": {
     "_doc": {
       "_meta": {
-        "version": "1.6.0-dev"
+        "version": "1.7.0-dev"
       },
       "date_detection": false,
       "dynamic_templates": [
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 35c05f8040..30d15c5720 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.6.0-dev"
+      "version": "1.7.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index bcfbf475d5..de023c91b1 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-1.6.0-dev
+1.7.0-dev

From 5d134c956e575425d407409c818cab2c025ea49a Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 13 Aug 2020 14:24:32 -0500
Subject: [PATCH 02/90] [1.x] add related.hosts (#913) (#924)

---
 CHANGELOG.next.md                       |  1 +
 code/go/ecs/related.go                  |  4 ++++
 docs/field-details.asciidoc             | 16 ++++++++++++++++
 generated/beats/fields.ecs.yml          |  7 +++++++
 generated/csv/fields.csv                |  1 +
 generated/ecs/ecs_flat.yml              | 12 ++++++++++++
 generated/ecs/ecs_nested.yml            | 12 ++++++++++++
 generated/elasticsearch/6/template.json |  4 ++++
 generated/elasticsearch/7/template.json |  4 ++++
 schemas/related.yml                     | 10 ++++++++++
 10 files changed, 71 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index ae6e775639..9c0144cd0a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -27,6 +27,7 @@ Thanks, you're awesome :-) -->
 * Added missing field reuse of `pe` at `process.parent.pe` #868
 * Added `span.id` to the tracing fieldset, for additional log correlation (#882)
 * Added `event.reason` for the reason why an event's outcome or action was taken. #907
+* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
 
 #### Improvements
 
diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go
index 8facf9bcec..22acb9fee2 100644
--- a/code/go/ecs/related.go
+++ b/code/go/ecs/related.go
@@ -38,4 +38,8 @@ type Related struct {
 	// to search for hashes can help in situations where you're unsure what the
 	// hash algorithm is (and therefore which key name to search).
 	Hash string `ecs:"hash"`
+
+	// All hostnames or other host identifiers seen on your event. Example
+	// identifiers include FQDNs, domain names, workstation names, or aliases.
+	Hosts string `ecs:"hosts"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index f9d23b7d47..c0c97dc14e 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -4610,6 +4610,22 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+| related.hosts
+| All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index d3a48009c1..fe2d9bf05c 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3819,6 +3819,13 @@
         using it to search for hashes can help in situations where you're unsure what
         the hash algorithm is (and therefore which key name to search).
       default_field: false
+    - name: hosts
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      default_field: false
     - name: ip
       level: extended
       type: ip
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index ba520eba06..d8333ba416 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -442,6 +442,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
 1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
 1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
 1.7.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8f8d13078f..bf40d50bbc 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5717,6 +5717,18 @@ related.hash:
   - array
   short: All the hashes seen on your event.
   type: keyword
+related.hosts:
+  dashed_name: related-hosts
+  description: All hostnames or other host identifiers seen on your event. Example
+    identifiers include FQDNs, domain names, workstation names, or aliases.
+  flat_name: related.hosts
+  ignore_above: 1024
+  level: extended
+  name: hosts
+  normalize:
+  - array
+  short: All the host identifiers seen on your event.
+  type: keyword
 related.ip:
   dashed_name: related-ip
   description: All of the IPs seen on your event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 427dcbbbf7..fe594745d0 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6807,6 +6807,18 @@ related:
       - array
       short: All the hashes seen on your event.
       type: keyword
+    related.hosts:
+      dashed_name: related-hosts
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      flat_name: related.hosts
+      ignore_above: 1024
+      level: extended
+      name: hosts
+      normalize:
+      - array
+      short: All the host identifiers seen on your event.
+      type: keyword
     related.ip:
       dashed_name: related-ip
       description: All of the IPs seen on your event.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 4d2f5c6b90..dcfc5f0c16 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -2093,6 +2093,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "hosts": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "ip": {
               "type": "ip"
             },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 30d15c5720..4a73281b43 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -2092,6 +2092,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "hosts": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "ip": {
             "type": "ip"
           },
diff --git a/schemas/related.yml b/schemas/related.yml
index fd68c8b74f..5e53009475 100644
--- a/schemas/related.yml
+++ b/schemas/related.yml
@@ -43,3 +43,13 @@
         the hash algorithm is (and therefore which key name to search).
       normalize:
         - array
+
+    - name: hosts
+      level: extended
+      type: keyword
+      short: All the host identifiers seen on your event.
+      description: >
+        All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      normalize:
+        - array

From 64ea560801e509d78c1ab1ee6aa6cd68daf69947 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Tue, 18 Aug 2020 09:56:03 -0400
Subject: [PATCH 03/90] [1.x][DOCS] Fixes SIEM links (#936)

---
 docs/products-solutions.asciidoc    | 6 +++---
 docs/using-getting-started.asciidoc | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc
index 4b0a2cf4ef..a8fca573cd 100644
--- a/docs/products-solutions.asciidoc
+++ b/docs/products-solutions.asciidoc
@@ -5,11 +5,11 @@ The following Elastic products support ECS out of the box, as of version 7.0:
 
 * {beats-ref}/beats-reference.html[{beats}]
 * {apm-get-started-ref}/overview.html[APM]
-* {siem-guide}/siem-overview.html[Elastic SIEM app]
-** {siem-guide}/siem-field-reference.html[SIEM Field Reference Guide] - a list of ECS fields used in the SIEM app
+* {security-guide}/es-overview.html[Elastic Security]
+** {security-guide}/siem-field-reference.html[Elastic Security Field Reference] - a list of ECS fields used in the SIEM app
 * https://www.elastic.co/products/endpoint-security[Elastic Endpoint Security
 Server]
-* {logs-guide}/logs-app-overview.html[Logs app]
+* {logs-guide}/logs-app-overview.html[Logs Monitoring]
 * Log formatters that support ECS out of the box for various languages can be found
   https://github.com/elastic/ecs-logging/blob/master/README.md[here].
 
diff --git a/docs/using-getting-started.asciidoc b/docs/using-getting-started.asciidoc
index 8b71d14126..8e322d7428 100644
--- a/docs/using-getting-started.asciidoc
+++ b/docs/using-getting-started.asciidoc
@@ -285,5 +285,5 @@ Here are some examples of additional fields processed by metadata or parser proc
 We've covered at a high level how to map your events to ECS. Now if you'd like your events to render well in the Elastic
 solutions, check out the reference guides below to learn more about each:
 
-* https://www.elastic.co/guide/en/logs/guide/current/logs-fields-reference.html[Logs UI fields reference]
-* https://www.elastic.co/guide/en/security/master/siem-field-reference.html[Elastic Security fields reference]
+* {logs-guide}/logs-fields-reference.html[Logs Monitoring Field Reference]
+* {security-guide}/siem-field-reference.html[Elastic Security Field Reference]

From ab227b34fe72519519e16e94e8cf5fc10b7be80e Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 20 Aug 2020 12:54:28 -0500
Subject: [PATCH 04/90] [1.x] Consolidate field-details doc template (#897)
 (#946)

---
 CHANGELOG.next.md                             |   1 +
 docs/field-details.asciidoc                   |   2 +-
 scripts/generators/asciidoc_fields.py         | 270 ++++++------------
 scripts/templates/field_details.j2            | 113 ++++++++
 .../field_details/acceptable_value_names.j2   |   8 -
 .../field_details/field_reuse_section.j2      |   6 -
 .../templates/field_details/nestings_row.j2   |   7 -
 .../field_details/nestings_table_header.j2    |  11 -
 scripts/templates/field_details/row.j2        |  14 -
 .../templates/field_details/table_header.j2   |  14 -
 ...eld_values_template.j2 => field_values.j2} |   0
 .../{fields_template.j2 => fields.j2}         |   0
 scripts/tests/test_asciidoc_fields.py         | 132 +++++++++
 13 files changed, 327 insertions(+), 251 deletions(-)
 create mode 100644 scripts/templates/field_details.j2
 delete mode 100644 scripts/templates/field_details/acceptable_value_names.j2
 delete mode 100644 scripts/templates/field_details/field_reuse_section.j2
 delete mode 100644 scripts/templates/field_details/nestings_row.j2
 delete mode 100644 scripts/templates/field_details/nestings_table_header.j2
 delete mode 100644 scripts/templates/field_details/row.j2
 delete mode 100644 scripts/templates/field_details/table_header.j2
 rename scripts/templates/{field_values_template.j2 => field_values.j2} (100%)
 rename scripts/templates/{fields_template.j2 => fields.j2} (100%)
 create mode 100644 scripts/tests/test_asciidoc_fields.py

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9c0144cd0a..30bf294951 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -104,6 +104,7 @@ Thanks, you're awesome :-) -->
 * Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
 * Intermediate `ecs_flat.yml` and `ecs_nested.yml` files are now generated for each individual subset,
   in addition to the intermediate files generated for the combined subset. #873
+* Field details Jinja2 template components have been consolidated into one template #897
 
 #### Deprecated
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index c0c97dc14e..d6f3236892 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -1,4 +1,3 @@
-
 [[ecs-base]]
 === Base Fields
 
@@ -7085,3 +7084,4 @@ Note also that the `x509` fields are not expected to be used directly at the roo
 
 
 
+
diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py
index c25d7b8162..2aa6f4a8cd 100644
--- a/scripts/generators/asciidoc_fields.py
+++ b/scripts/generators/asciidoc_fields.py
@@ -5,11 +5,6 @@
 
 from generators import ecs_helpers
 
-# jinja2 setup
-TEMPLATE_DIR = path.join(path.dirname(path.abspath(__file__)), '../templates')
-template_loader = jinja2.FileSystemLoader(searchpath=TEMPLATE_DIR)
-template_env = jinja2.Environment(loader=template_loader)
-
 
 def generate(nested, ecs_version, out_dir):
     save_asciidoc(path.join(out_dir, 'fields.asciidoc'), page_field_index(nested, ecs_version))
@@ -19,6 +14,64 @@ def generate(nested, ecs_version, out_dir):
 # Helpers
 
 
+def render_fieldset_reuse_text(fieldset):
+    """Renders the expected nesting locations
+       if the the `reusable` object is present.
+
+    :param fieldset: The fieldset to evaluate
+    """
+    if not fieldset.get('reusable'):
+        return None
+    reusable_fields = fieldset['reusable']['expected']
+    sorted_fields = sorted(reusable_fields, key=lambda k: k['full'])
+    return map(lambda f: f['full'], sorted_fields)
+
+
+def render_nestings_reuse_section(fieldset):
+    """Renders the reuse section entries.
+
+    :param fieldset: The target fieldset
+    """
+    if not fieldset.get('reused_here'):
+        return None
+    rows = []
+    for reused_here_entry in fieldset['reused_here']:
+        rows.append({
+            'flat_nesting': "{}.*".format(reused_here_entry['full']),
+            'name': reused_here_entry['schema_name'],
+            'short': reused_here_entry['short']
+        })
+
+    return sorted(rows, key=lambda x: x['flat_nesting'])
+
+
+def extract_allowed_values_key_names(field):
+    """Extracts the `name` keys from the field's
+       allowed_values if present in the field
+       object.
+
+    :param field: The target field
+    """
+    if not field.get('allowed_values'):
+        return []
+    return ecs_helpers.list_extract_keys(field['allowed_values'], 'name')
+
+
+def sort_fields(fieldset):
+    """Prepares a fieldset's fields for being
+    passed into the j2 template for rendering. This
+    includes sorting them into a list of objects and
+    adding a field for the names of any allowed values
+    for the field, if present.
+
+    :param fieldset: The target fieldset
+    """
+    fields_list = list(fieldset['fields'].values())
+    for field in fields_list:
+        field['allowed_value_names'] = extract_allowed_values_key_names(field)
+    return sorted(fields_list, key=lambda field: field['name'])
+
+
 def templated(template_name):
     """Decorator function to simplify rendering a template.
 
@@ -53,12 +106,19 @@ def save_asciidoc(f, text):
     with open(f, "w") as outfile:
         outfile.write(text)
 
+# jinja2 setup
+
+
+TEMPLATE_DIR = path.join(path.dirname(path.abspath(__file__)), '../templates')
+template_loader = jinja2.FileSystemLoader(searchpath=TEMPLATE_DIR)
+template_env = jinja2.Environment(loader=template_loader)
 
 # Rendering schemas
 
 # Field Index
 
-@templated('fields_template.j2')
+
+@templated('fields.j2')
 def page_field_index(nested, ecs_version):
     fieldsets = ecs_helpers.dict_sorted_by_keys(nested, ['group', 'name'])
     return dict(ecs_version=ecs_version, fieldsets=fieldsets)
@@ -66,197 +126,27 @@ def page_field_index(nested, ecs_version):
 
 # Field Details Page
 
-
 def page_field_details(nested):
-    page_text = ''
-    for fieldset in ecs_helpers.dict_sorted_by_keys(nested, ['group', 'name']):
-        page_text += render_fieldset(fieldset, nested)
-    return page_text
-
-
-def render_fieldset(fieldset, nested):
-    text = field_details_table_header(
-        title=fieldset['title'],
-        name=fieldset['name'],
-        description=fieldset['description']
-    )
-
-    text += render_fields(fieldset['fields'])
-
-    text += table_footer()
-
-    text += render_fieldset_reuse_section(fieldset, nested)
-
-    return text
-
-
-def render_fields(fields):
-    text = ''
-    for _, field in sorted(fields.items()):
-        # Skip fields nested in this field set
-        if 'original_fieldset' not in field:
-            text += render_field_details_row(field)
-    return text
-
-
-def render_field_allowed_values(field):
-    if not 'allowed_values' in field:
-        return ''
-    allowed_values = ', '.join(ecs_helpers.list_extract_keys(field['allowed_values'], 'name'))
-
-    return field_acceptable_value_names(
-        allowed_values=allowed_values,
-        flat_name=field['flat_name'],
-        dashed_name=field['dashed_name']
-    )
-
-
-def render_field_details_row(field):
-    example = ''
-    if 'allowed_values' in field:
-        example = render_field_allowed_values(field)
-    elif 'example' in field:
-        example = "example: `{}`".format(str(field['example']))
-
-    field_type_with_mf = field['type']
-    if 'multi_fields' in field:
-        field_type_with_mf += "\n\nMulti-fields:\n\n"
-        for mf in field['multi_fields']:
-            field_type_with_mf += "* {} (type: {})\n\n".format(mf['flat_name'], mf['type'])
-
-    field_normalization = ''
-    if 'array' in field['normalize']:
-        field_normalization = "\nNote: this field should contain an array of values.\n\n"
-
-    text = field_details_row(
-        flat_name=field['flat_name'],
-        description=field['description'],
-        field_type=field_type_with_mf,
-        example=example,
-        normalization=field_normalization,
-        level=field['level']
-    )
-
-    return text
-
-
-def render_fieldset_reuse_section(fieldset, nested):
-    '''Render the section on where field set can be nested, and which field sets can be nested here'''
-    if not ('nestings' in fieldset or 'reusable' in fieldset):
-        return ''
-
-    text = field_reuse_section(
-        reuse_of_fieldset=render_fieldset_reuses_text(fieldset)
-    )
-
-    if 'nestings' in fieldset:
-        text += nestings_table_header(
-            name=fieldset['name'],
-            title=fieldset['title']
-        )
-        rows = []
-        for reused_here_entry in fieldset['reused_here']:
-            rows.append({
-                'flat_nesting': "{}.*".format(reused_here_entry['full']),
-                'name': reused_here_entry['schema_name'],
-                'short': reused_here_entry['short']
-            })
-
-        for row in sorted(rows, key=lambda x: x['flat_nesting']):
-            text += nestings_row(
-                nesting_name=row['name'],
-                flat_nesting=row['flat_nesting'],
-                nesting_short=row['short']
-            )
-
-        text += table_footer()
-    return text
-
-
-def render_fieldset_reuses_text(fieldset):
-    '''Render where a given field set is expected to be reused'''
-    if 'reusable' not in fieldset:
-        return ''
-
-    section_name = fieldset['name']
-    sorted_fields = sorted(fieldset['reusable']['expected'], key=lambda k: k['full'])
-    rendered_fields = map(lambda f: "`{}`".format(f['full']), sorted_fields)
-    text = "The `{}` fields are expected to be nested at: {}.\n\n".format(
-        section_name, ', '.join(rendered_fields))
-
-    if 'top_level' in fieldset['reusable'] and fieldset['reusable']['top_level']:
-        template = "Note also that the `{}` fields may be used directly at the root of the events.\n\n"
-    else:
-        template = "Note also that the `{}` fields are not expected to " + \
-            "be used directly at the root of the events.\n\n"
-    text += template.format(section_name)
-    return text
-
-
-# Templates
-
-def table_footer():
-    return '''
-|=====
-'''
-
-# Field Details Page
-
-# Main Fields Table
-
-
-@templated('field_details/table_header.j2')
-def field_details_table_header(title, name, description):
-    return dict(name=name, title=title, description=description)
-
-
-@templated('field_details/row.j2')
-def field_details_row(flat_name, description, field_type, normalization, example, level):
-    return dict(
-        flat_name=flat_name,
-        description=description,
-        field_type=field_type,
-        normalization=normalization,
-        example=example,
-        level=level
-    )
-
-
-@templated('field_details/acceptable_value_names.j2')
-def field_acceptable_value_names(allowed_values, dashed_name, flat_name):
-    return dict(
-        allowed_values=allowed_values,
-        dashed_name=dashed_name,
-        flat_name=flat_name
-    )
-
-
-# Field reuse
-
-@templated('field_details/field_reuse_section.j2')
-def field_reuse_section(reuse_of_fieldset):
-    return dict(reuse_of_fieldset=reuse_of_fieldset)
-
-
-# Nestings table
-
-@templated('field_details/nestings_table_header.j2')
-def nestings_table_header(name, title):
-    return dict(name=name, title=title)
+    fieldsets = ecs_helpers.dict_sorted_by_keys(nested, ['group', 'name'])
+    results = (generate_field_details_page(fieldset) for fieldset in fieldsets)
+    return ''.join(results)
 
 
-@templated('field_details/nestings_row.j2')
-def nestings_row(nesting_name, flat_nesting, nesting_short):
-    return dict(
-        nesting_name=nesting_name,
-        flat_nesting=flat_nesting,
-        nesting_short=nesting_short
-    )
+@templated('field_details.j2')
+def generate_field_details_page(fieldset):
+    # render field reuse text section
+    sorted_reuse_fields = render_fieldset_reuse_text(fieldset)
+    render_nestings_reuse_fields = render_nestings_reuse_section(fieldset)
+    sorted_fields = sort_fields(fieldset)
+    return dict(fieldset=fieldset,
+                sorted_reuse_fields=sorted_reuse_fields,
+                render_nestings_reuse_section=render_nestings_reuse_fields,
+                sorted_fields=sorted_fields)
 
 
 # Allowed values section
 
-@templated('field_values_template.j2')
+@templated('field_values.j2')
 def page_field_values(nested, template_name='field_values_template.j2'):
     category_fields = ['event.kind', 'event.category', 'event.type', 'event.outcome']
     nested_fields = []
diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2
new file mode 100644
index 0000000000..0b1bb6e224
--- /dev/null
+++ b/scripts/templates/field_details.j2
@@ -0,0 +1,113 @@
+{# Title & Description -#}
+[[ecs-{{ fieldset['name'] }}]]
+=== {{ fieldset['title'] }} Fields
+
+{{ fieldset['description']|replace("\n", "\n\n") }}
+
+{# Field Details Table Header -#}
+==== {{ fieldset['title'] }} Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+{# Iterate through each field in the set -#}
+{% for field in sorted_fields -%}
+{% if 'original_fieldset' not in field -%}
+
+{# `Field` column -#}
+| {{ field['flat_name'] }}
+{# `Description` column -#}
+| {{ field['description']|replace("\n", "\n\n") }}
+
+type: {{ field['type'] }}
+
+{% if 'multi_fields' in field -%}
+
+Multi-fields:
+
+{% for mf in field['multi_fields'] -%}
+
+* {{ mf['flat_name'] }} (type: {{ mf ['type'] }})
+
+
+{% endfor %}{# for mf #}
+{% endif %}{# if 'multi_fields' #}
+{% if 'array' in field['normalize'] -%}
+
+Note: this field should contain an array of values.
+
+
+{% endif %}
+{% if 'allowed_values' in field %}
+*Important*: The field value must be one of the following:
+
+{{ field['allowed_value_names']|join(', ') }}
+
+To learn more about when to use which value, visit the page
+<<ecs-allowed-values-{{ field['dashed_name'] }},allowed values for {{ field['flat_name'] }}>>
+{% elif 'example' in field -%}
+
+example: `{{ field['example'] }}`
+
+{%- endif %}{# if 'allowed_values' elif 'example' #}
+
+{# `Level` column -#}
+| {{ field['level'] }}
+
+// ===============================================================
+
+{% endif %}{# if 'original_fieldset' -#}
+{% endfor %}{# for 'field' -#}
+
+|=====
+
+{# do we have `nestings` or `reusable` sections to worry about? -#}
+{% if 'nestings' in fieldset or 'reusable' in fieldset -%}
+
+==== Field Reuse
+
+{% if 'reusable' in fieldset -%}
+
+The `{{ fieldset['name'] }}` fields are expected to be nested at: `{{ sorted_reuse_fields|join("`, `") }}`.
+
+{% if 'top_level' in fieldset['reusable'] and fieldset['reusable']['top_level'] -%}
+
+Note also that the `{{ fieldset['name'] }}` fields may be used directly at the root of the events.
+
+{% else -%}
+
+Note also that the `{{ fieldset['name'] }}` fields are not expected to be used directly at the root of the events.
+
+{% endif %}{# if 'top_level' -#}
+{% endif %}{# if 'reusable' #}
+
+
+{% if 'nestings' in fieldset -%}
+
+[[ecs-{{ fieldset['name'] }}-nestings]]
+===== Field sets that can be nested under {{ fieldset['title'] }}
+
+[options="header"]
+|=====
+| Nested fields | Description
+
+// ===============================================================
+
+
+{% for entry in render_nestings_reuse_section -%}
+
+| <<ecs-{{ entry['name'] }},{{ entry['flat_nesting'] }}>>
+| {{ entry['short'] }}
+
+// ===============================================================
+
+
+{% endfor -%}
+
+|=====
+
+{% endif %}{# if 'nestings' #}
+{%- endif %}{# if 'nestings' or 'reusable' in fieldset #}
diff --git a/scripts/templates/field_details/acceptable_value_names.j2 b/scripts/templates/field_details/acceptable_value_names.j2
deleted file mode 100644
index 6080445742..0000000000
--- a/scripts/templates/field_details/acceptable_value_names.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-
-*Important*: The field value must be one of the following:
-
-{{ allowed_values }}
-
-To learn more about when to use which value, visit the page
-<<ecs-allowed-values-{{ dashed_name }},allowed values for {{ flat_name }}>>
-
diff --git a/scripts/templates/field_details/field_reuse_section.j2 b/scripts/templates/field_details/field_reuse_section.j2
deleted file mode 100644
index 37aa7ded45..0000000000
--- a/scripts/templates/field_details/field_reuse_section.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-
-==== Field Reuse
-
-{{ reuse_of_fieldset }}
-
-
diff --git a/scripts/templates/field_details/nestings_row.j2 b/scripts/templates/field_details/nestings_row.j2
deleted file mode 100644
index 826af848bb..0000000000
--- a/scripts/templates/field_details/nestings_row.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-
-| <<ecs-{{ nesting_name }},{{ flat_nesting }}>>
-| {{ nesting_short }}
-
-// ===============================================================
-
-
diff --git a/scripts/templates/field_details/nestings_table_header.j2 b/scripts/templates/field_details/nestings_table_header.j2
deleted file mode 100644
index 2ef25791d9..0000000000
--- a/scripts/templates/field_details/nestings_table_header.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-
-[[ecs-{{ name }}-nestings]]
-===== Field sets that can be nested under {{ title }}
-
-[options="header"]
-|=====
-| Nested fields | Description
-
-// ===============================================================
-
-
diff --git a/scripts/templates/field_details/row.j2 b/scripts/templates/field_details/row.j2
deleted file mode 100644
index 90e2c8877f..0000000000
--- a/scripts/templates/field_details/row.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-
-| {{ flat_name }}
-| {{ description|replace("\n", "\n\n") }}
-
-type: {{ field_type }}
-
-{{ normalization }}
-
-{{ example }}
-
-| {{ level }}
-
-// ===============================================================
-
diff --git a/scripts/templates/field_details/table_header.j2 b/scripts/templates/field_details/table_header.j2
deleted file mode 100644
index 4496e8e768..0000000000
--- a/scripts/templates/field_details/table_header.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-
-[[ecs-{{ name }}]]
-=== {{ title }} Fields
-
-{{ description|replace("\n", "\n\n") }}
-
-==== {{ title }} Field Details
-
-[options="header"]
-|=====
-| Field  | Description | Level
-
-// ===============================================================
-
diff --git a/scripts/templates/field_values_template.j2 b/scripts/templates/field_values.j2
similarity index 100%
rename from scripts/templates/field_values_template.j2
rename to scripts/templates/field_values.j2
diff --git a/scripts/templates/fields_template.j2 b/scripts/templates/fields.j2
similarity index 100%
rename from scripts/templates/fields_template.j2
rename to scripts/templates/fields.j2
diff --git a/scripts/tests/test_asciidoc_fields.py b/scripts/tests/test_asciidoc_fields.py
new file mode 100644
index 0000000000..1a099a9958
--- /dev/null
+++ b/scripts/tests/test_asciidoc_fields.py
@@ -0,0 +1,132 @@
+import os
+import sys
+import unittest
+
+sys.path.append(os.path.join(os.path.dirname(__file__), '..'))
+
+from scripts.generators import asciidoc_fields
+from scripts.generators import intermediate_files
+from scripts.schema import cleaner
+from scripts.schema import loader
+from scripts.schema import finalizer
+
+
+class TestGeneratorsAsciiFields(unittest.TestCase):
+
+    def setUp(self):
+        self.foo_fieldset = self.dummy_fieldset()
+
+    def dummy_fieldset(self):
+        return {
+            'description': 'foo',
+            'fields': {
+                'foo.type': {
+                    'dashed_name': 'foo-type',
+                    'description': 'describes the foo',
+                    'example': '2016-05-23T08:05:34.853Z',
+                    'flat_name': 'foo.type',
+                    'level': 'core',
+                    'name': 'type',
+                    'normalize': ['array'],
+                    'short': 'describes the foo',
+                    'ignore_above': 1024,
+                    'type': 'keyword',
+                    'allowed_values': [{
+                        'description': 'fluffy foo',
+                        'name': 'fluffy',
+                    },
+                        {
+                        'description': 'coarse foo',
+                        'name': 'coarse',
+                    }
+                    ]
+                },
+                'foo.id': {
+                    'dashed_name': 'foo-id',
+                    'description': 'Unique ID of the foo.',
+                    'example': 'foo123',
+                    'flat_name': 'foo.id',
+                    'ignore_above': 1024,
+                    'level': 'core',
+                    'name': 'id',
+                    'normalize': [],
+                    'short': 'Unique ID of the foo.',
+                    'type': 'keyword'
+                }
+            },
+            'reusable': {
+                'expected': [
+                    {
+                        'as': 'foo',
+                        'at': 'server',
+                        'full': 'server.foo'
+                    },
+                    {
+                        'as': 'foo',
+                        'at': 'source',
+                        'full': 'source.foo'
+                    },
+                    {
+                        'as': 'foo',
+                        'at': 'client',
+                        'full': 'client.foo',
+                    },
+                    {
+                        'as': 'foo',
+                        'at': 'destination',
+                        'full': 'destination.foo'
+                    }
+                ],
+                'top_level': False,
+            },
+            'reused_here': [
+                {
+                    'full': 'foo.as',
+                    'schema_name': 'as',
+                    'short': 'Fields describing an AS'
+                }
+            ],
+            'group': 2,
+            'name': 'foo',
+            'prefix': 'foo.',
+            'short': 'Foo fields',
+            'title': 'Foo',
+            'type': 'group'
+        }
+
+    def test_validate_sort_fieldset(self):
+        sorted_foo_fields = asciidoc_fields.sort_fields(self.foo_fieldset)
+        #import pdb;pdb.set_trace()
+        self.assertIsInstance(sorted_foo_fields, list)
+
+        # `allowed_value_names` always present
+        for field in sorted_foo_fields:
+            self.assertIsInstance(field.get('allowed_value_names'), list)
+
+        self.assertFalse(sorted_foo_fields[0]['allowed_value_names'])
+        self.assertEqual('id', sorted_foo_fields[0]['name'])
+        self.assertEqual('type', sorted_foo_fields[1]['name'])
+        self.assertIn('fluffy', sorted_foo_fields[1]['allowed_value_names'])
+        self.assertIn('coarse', sorted_foo_fields[1]['allowed_value_names'])
+
+    def test_rendering_fieldset_reuse(self):
+        foo_reuse_fields = asciidoc_fields.render_fieldset_reuse_text(self.foo_fieldset)
+        expected_sorted_reuse_fields = (
+            'client.foo',
+            'destination.foo',
+            'server.foo',
+            'source.foo'
+        )
+
+        self.assertEqual(expected_sorted_reuse_fields, tuple(foo_reuse_fields))
+
+    def test_rendering_fieldset_nesting(self):
+        foo_nesting_fields = asciidoc_fields.render_nestings_reuse_section(self.foo_fieldset)
+        self.assertIsInstance(foo_nesting_fields, list)
+        self.assertEqual('foo.as.*', foo_nesting_fields[0]['flat_nesting'])
+        self.assertEqual('as', foo_nesting_fields[0]['name'])
+        self.assertEqual('Fields describing an AS', foo_nesting_fields[0]['short'])
+
+
+if __name__ == '__main__':
+    unittest.main()

From e106899932c7ead39b46c2d9b4cca82144ec766f Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 24 Aug 2020 08:19:13 -0400
Subject: [PATCH 05/90] Add http.[request|response].mime_type (#944) (#949)

---
 CHANGELOG.next.md                       |  1 +
 code/go/ecs/http.go                     | 14 +++++++++++
 docs/field-details.asciidoc             | 30 +++++++++++++++++++++++
 generated/beats/fields.ecs.yml          | 24 +++++++++++++++++++
 generated/csv/fields.csv                |  2 ++
 generated/ecs/ecs_flat.yml              | 30 +++++++++++++++++++++++
 generated/ecs/ecs_nested.yml            | 32 +++++++++++++++++++++++++
 generated/elasticsearch/6/template.json |  8 +++++++
 generated/elasticsearch/7/template.json |  8 +++++++
 schemas/http.yml                        | 28 ++++++++++++++++++++++
 10 files changed, 177 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 30bf294951..a3e479ca12 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -28,6 +28,7 @@ Thanks, you're awesome :-) -->
 * Added `span.id` to the tracing fieldset, for additional log correlation (#882)
 * Added `event.reason` for the reason why an event's outcome or action was taken. #907
 * Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
+* Added Mime Type fields to HTTP request and response. #944
 
 #### Improvements
 
diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go
index 678df098b9..9abb112274 100644
--- a/code/go/ecs/http.go
+++ b/code/go/ecs/http.go
@@ -30,6 +30,13 @@ type Http struct {
 	// mandated in ECS 2.0.0
 	RequestMethod string `ecs:"request.method"`
 
+	// Mime type of the body of the request.
+	// This value must only be populated based on the content of the request
+	// body, not on the `Content-Type` header. Comparing the mime type of a
+	// request with the request's Content-Type header can be helpful in
+	// detecting threats or misconfigured clients.
+	RequestMimeType string `ecs:"request.mime_type"`
+
 	// The full HTTP request body.
 	RequestBodyContent string `ecs:"request.body.content"`
 
@@ -39,6 +46,13 @@ type Http struct {
 	// HTTP response status code.
 	ResponseStatusCode int64 `ecs:"response.status_code"`
 
+	// Mime type of the body of the response.
+	// This value must only be populated based on the content of the response
+	// body, not on the `Content-Type` header. Comparing the mime type of a
+	// response with the response's Content-Type header can be helpful in
+	// detecting misconfigured servers.
+	ResponseMimeType string `ecs:"response.mime_type"`
+
 	// The full HTTP response body.
 	ResponseBodyContent string `ecs:"response.body.content"`
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index d6f3236892..3e38c16c45 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -2836,6 +2836,21 @@ example: `GET, POST, PUT, PoST`
 
 // ===============================================================
 
+| http.request.mime_type
+| Mime type of the body of the request.
+
+This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+
+
+example: `image/gif`
+
+| extended
+
+// ===============================================================
+
 | http.request.referrer
 | Referrer for this HTTP request.
 
@@ -2894,6 +2909,21 @@ example: `1437`
 
 // ===============================================================
 
+| http.response.mime_type
+| Mime type of the body of the response.
+
+This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+
+
+example: `image/gif`
+
+| extended
+
+// ===============================================================
+
 | http.response.status_code
 | HTTP response status code.
 
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index fe2d9bf05c..28c195fff2 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2317,6 +2317,18 @@
         method may be useful in anomaly detection.  Original case will be mandated
         in ECS 2.0.0'
       example: GET, POST, PUT, PoST
+    - name: request.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      default_field: false
     - name: request.referrer
       level: extended
       type: keyword
@@ -2346,6 +2358,18 @@
       format: bytes
       description: Total size in bytes of the response (body and headers).
       example: 1437
+    - name: response.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      default_field: false
     - name: response.status_code
       level: extended
       type: long
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index d8333ba416..9487929101 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -269,11 +269,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
 1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
 1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
 1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
 1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
 1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
 1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
 1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
 1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
 1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
 1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index bf40d50bbc..f8110a362b 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3617,6 +3617,21 @@ http.request.method:
   normalize: []
   short: HTTP request method.
   type: keyword
+http.request.mime_type:
+  dashed_name: http-request-mime-type
+  description: 'Mime type of the body of the request.
+
+    This value must only be populated based on the content of the request body, not
+    on the `Content-Type` header. Comparing the mime type of a request with the request''s
+    Content-Type header can be helpful in detecting threats or misconfigured clients.'
+  example: image/gif
+  flat_name: http.request.mime_type
+  ignore_above: 1024
+  level: extended
+  name: request.mime_type
+  normalize: []
+  short: Mime type of the body of the request.
+  type: keyword
 http.request.referrer:
   dashed_name: http-request-referrer
   description: Referrer for this HTTP request.
@@ -3666,6 +3681,21 @@ http.response.bytes:
   normalize: []
   short: Total size in bytes of the response (body and headers).
   type: long
+http.response.mime_type:
+  dashed_name: http-response-mime-type
+  description: 'Mime type of the body of the response.
+
+    This value must only be populated based on the content of the response body, not
+    on the `Content-Type` header. Comparing the mime type of a response with the response''s
+    Content-Type header can be helpful in detecting misconfigured servers.'
+  example: image/gif
+  flat_name: http.response.mime_type
+  ignore_above: 1024
+  level: extended
+  name: response.mime_type
+  normalize: []
+  short: Mime type of the body of the response.
+  type: keyword
 http.response.status_code:
   dashed_name: http-response-status-code
   description: HTTP response status code.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index fe594745d0..13b273fcfb 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4302,6 +4302,22 @@ http:
       normalize: []
       short: HTTP request method.
       type: keyword
+    http.request.mime_type:
+      dashed_name: http-request-mime-type
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      flat_name: http.request.mime_type
+      ignore_above: 1024
+      level: extended
+      name: request.mime_type
+      normalize: []
+      short: Mime type of the body of the request.
+      type: keyword
     http.request.referrer:
       dashed_name: http-request-referrer
       description: Referrer for this HTTP request.
@@ -4351,6 +4367,22 @@ http:
       normalize: []
       short: Total size in bytes of the response (body and headers).
       type: long
+    http.response.mime_type:
+      dashed_name: http-response-mime-type
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      flat_name: http.response.mime_type
+      ignore_above: 1024
+      level: extended
+      name: response.mime_type
+      normalize: []
+      short: Mime type of the body of the response.
+      type: keyword
     http.response.status_code:
       dashed_name: http-response-status-code
       description: HTTP response status code.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index dcfc5f0c16..6f98745d9b 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1262,6 +1262,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "referrer": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1290,6 +1294,10 @@
                 "bytes": {
                   "type": "long"
                 },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status_code": {
                   "type": "long"
                 }
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 4a73281b43..177889f92d 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1261,6 +1261,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "referrer": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1289,6 +1293,10 @@
               "bytes": {
                 "type": "long"
               },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status_code": {
                 "type": "long"
               }
diff --git a/schemas/http.yml b/schemas/http.yml
index efeae921b3..9002408cab 100644
--- a/schemas/http.yml
+++ b/schemas/http.yml
@@ -26,6 +26,20 @@
 
       example: GET, POST, PUT, PoST
 
+    - name: request.mime_type
+      level: extended
+      type: keyword
+      short: Mime type of the body of the request.
+      description: >
+       Mime type of the body of the request.
+
+       This value must only be populated based on the content of the request
+       body, not on the `Content-Type` header. Comparing the mime type of a
+       request with the request's Content-Type header can be helpful in detecting
+       threats or misconfigured clients.
+
+      example: image/gif
+
     - name: request.body.content
       level: extended
       type: keyword
@@ -51,6 +65,20 @@
         HTTP response status code.
       example: 404
 
+    - name: response.mime_type
+      level: extended
+      type: keyword
+      short: Mime type of the body of the response.
+      description: >
+       Mime type of the body of the response.
+
+       This value must only be populated based on the content of the response
+       body, not on the `Content-Type` header. Comparing the mime type of a
+       response with the response's Content-Type header can be helpful in detecting
+       misconfigured servers.
+
+      example: image/gif
+
     - name: response.body.content
       level: extended
       type: keyword

From 4b6742b835a5c50711fc58a63c7d9a09fed725aa Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 25 Aug 2020 14:56:30 -0500
Subject: [PATCH 06/90] [1.x] Cut 1.6 Changelog (#933) (#952) (#953)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 CHANGELOG.md      | 97 +++++++++++++++++++++++++++++++++++++++++++++++
 CHANGELOG.next.md | 73 -----------------------------------
 2 files changed, 97 insertions(+), 73 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5510520c9f..0b6a774967 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,103 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.6.0](https://github.com/elastic/ecs/compare/v1.5.0...v1.6.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Field `registry.data.strings` should have been marked as an array field. #790
+
+#### Added
+
+* Added `x509.*` field set. #762
+* Add architecture and imphash for PE field set. #763
+* Added `agent.build.*` for extended agent version information. #764
+* Added `log.file.path` to capture the log file an event came from. #802
+* Added more account and project cloud metadata. #816
+* Added missing field reuse of `pe` at `process.parent.pe` #868
+* Added `span.id` to the tracing fieldset, for additional log correlation #882
+* Added `event.reason` for the reason why an event's outcome or action was taken. #907
+* Added `user.roles` to capture a list of role names that apply to the user. #917
+
+#### Improvements
+
+* Removed misleading pluralization in the description of `user.id`, it should
+  contain one ID, not many. #801
+* Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
+* Improved verbiage about the MITRE ATT&CK® framework. #866
+* Removed the default `object_type=keyword` that was being applied to `object` fields.
+  This attribute is Beats-specific. It's still supported, but needs to be set explicitly
+  on a case by case basis now. This default being removed affects `dns.answers`,
+  `log.syslog`, `network.inner`, `observer.egress`, and `observer.ingress`. #871
+* Improved attribute `dashed_name` in `generated/ecs/*.yml` to also
+  replace `@` with `-`. #871
+* Updated several URLs in the documentation with "example.com" domain. #910
+
+#### Deprecated
+
+* Deprecate guidance to lowercase `http.request.method` #840
+
+
+### Tooling and Artifact Changes
+
+#### Breaking changes
+
+* Removed field definitions at the root of documents for fieldsets that
+  had `reusable.top_level:false`. This PR affects `ecs_flat.yml`, the csv file
+  and the sample Elasticsearch templates. #495, #813
+* Removed the `order` attribute from the `ecs_nested.yml` and `ecs_flat.yml` files. #811
+* In `ecs_nested.yml`, the array of strings that used to be in `reusable.expected`
+  has been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864
+* The subset format now requires `name` and `fields` keys at the top level. #873
+
+#### Bugfixes
+
+* Subsets are created after duplicating reusable fields now so subsets can
+  be applied to each reused instance independently. #753
+* Quoted the example for `labels` to avoid YAML interpreting it, and having
+  slightly different results in different situations. #782
+* Fix incorrect listing of where field sets are nested in asciidoc,
+  when they are nested deep. #784
+* Allow beats output to be generated when using `--include` or `--subset` flags. #814
+* Field parameter `index` is now correctly populated in the Beats field definition file. #824
+
+#### Improvements
+
+* Add support for reusing official fieldsets in custom schemas. #751
+* Add full path names to reused fieldsets in `nestings` array in `ecs_nested.yml`. #803
+* Allow shorthand notation for including all subfields in subsets. #805
+* Add support for Elasticsearch `enabled` field parameter. #824
+* Add `ref` option to generator allowing schemas to be built for a specific ECS version. #851
+* Add `template-settings` and `mapping-settings` options to allow override of defaults in generated ES templates. #856
+* When overriding ECS field sets via the `--include` flag, it's no longer necessary
+  to duplicate the field set's mandatory attributes. The customizations are merged
+  before validation. #864
+* Add ability to nest field sets as another name. #864
+* Add ability to nest field sets within themselves (e.g. `process` => `process.parent`). #864
+* New attribute `reused_here` is added in `ecs_nested.yml`. It obsoletes the
+  previous attribute `nestings`, and is able to fully capture details of other
+  field sets reused under this one. #864
+* When chained reuses are needed (e.g. `group` => `user`, then `user` => many places),
+  it's now necessary to force the order with new attribute `reusable.order`. This
+  attribute is otherwise optional. It's currently only needed for `group`. #864
+* There's a new representation of ECS at `generated/ecs/ecs.yml`, which is a deeply nested
+  representation of the fields. This file is not in git, as it's only meant for
+  developers working on the ECS tools. #864
+* Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
+* Intermediate `ecs_flat.yml` and `ecs_nested.yml` files are now generated for each individual subset,
+  in addition to the intermediate files generated for the combined subset. #873
+
+#### Deprecated
+
+* In `ecs_nested.yml`, we're deprecating the attribute `nestings`. It will be
+  removed in a future release. The deprecated `nestings` attribute was an array of
+  flat field names describing where fields are nested within the field set.
+  This is replaced with the attribute `reused_here`, which is an array of objects.
+  The new format still lists where the fields are nested via the same flat field name,
+  but also specifies additional information about each field reuse. #864
+
 
 ## [1.5.0](https://github.com/elastic/ecs/compare/v1.4.0...v1.5.0)
 
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a3e479ca12..be22c73fed 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,101 +10,28 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
-* Added `log.file.path` to capture the log file an event came from. #802
-
 #### Breaking changes
 
 #### Bugfixes
 
-* Field `registry.data.strings` should have been marked as an array field. #790
-
 #### Added
 
-* Add architecture and imphash for PE field set. (#763)
-* Added `agent.build.*` for extended agent version information. (#764)
-* Added `x509.*` field set. (#762)
-* Added more account and project cloud metadata. (#816)
-* Added missing field reuse of `pe` at `process.parent.pe` #868
-* Added `span.id` to the tracing fieldset, for additional log correlation (#882)
-* Added `event.reason` for the reason why an event's outcome or action was taken. #907
-* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
 * Added Mime Type fields to HTTP request and response. #944
 
 #### Improvements
 
-* Removed misleading pluralization in the description of `user.id`, it should
-  contain one ID, not many. #801
-* Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
-* Improved verbiage about the MITRE ATT&CK® framework. #866
-* Removed the default `object_type=keyword` that was being applied to `object` fields.
-  This attribute is Beats-specific. It's still supported, but needs to be set explicitly
-  on a case by case basis now. This default being removed affects `dns.answers`,
-  `log.syslog`, `network.inner`, `observer.egress`, and `observer.ingress`. #871
-* Improved attribute `dashed_name` in `generated/ecs/*.yml` to also
-  replace `@` with `-`. #871
-* Updated several URLs in the documentation with "example.com" domain. #910
-
 #### Deprecated
 
-* Deprecate guidance to lowercase `http.request.method` #840
-* In `ecs_nested.yml`, we're deprecating the attribute `nestings`. It will be
-  removed in a future release. The deprecated `nestings` attribute was an array of
-  flat field names describing where fields are nested within the field set.
-  This is replaced with the attribute `reused_here`, which is an array of objects.
-  The new format still lists where the fields are nested via the same flat field name,
-  but also specifies additional information about each field reuse.
-
-
 ### Tooling and Artifact Changes
 
 #### Breaking changes
 
-* Removed field definitions at the root of documents for fieldsets that
-  had `reusable.top_level:false`. This PR affects `ecs_flat.yml`, the csv file
-  and the sample Elasticsearch templates. #495, #813
-* Removed the `order` attribute from the `ecs_nested.yml` and `ecs_flat.yml` files. #811
-* In `ecs_nested.yml`, the array of strings that used to be in `reusable.expected`
-  has been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864
-* The subset format now requires `name` and `fields` keys at the top level. #873
-
 #### Bugfixes
 
-* Subsets are created after duplicating reusable fields now so subsets can
-  be applied to each reused instance independently. #753
-* Quoted the example for `labels` to avoid YAML interpreting it, and having
-  slightly different results in different situations. #782
-* Fix incorrect listing of where field sets are nested in asciidoc,
-  when they are nested deep. #784
-* Allow beats output to be generated when using `--include` or `--subset` flags. #814
-* Field parameter `index` is now correctly populated in the Beats field definition file. #824
-
 #### Added
 
 #### Improvements
 
-* Add support for reusing official fieldsets in custom schemas. #751
-* Add full path names to reused fieldsets in `nestings` array in `ecs_nested.yml`. #803
-* Allow shorthand notation for including all subfields in subsets. #805
-* Add support for Elasticsearch `enabled` field parameter. #824
-* Add `ref` option to generator allowing schemas to be built for a specific ECS version. #851
-* Add `template-settings` and `mapping-settings` options to allow override of defaults in generated ES templates. #856
-* When overriding ECS field sets via the `--include` flag, it's no longer necessary
-  to duplicate the field set's mandatory attributes. The customizations are merged
-  before validation. #864
-* Add ability to nest field sets as another name. #864
-* Add ability to nest field sets within themselves (e.g. `process` => `process.parent`). #864
-* New attribute `reused_here` is added in `ecs_nested.yml`. It obsoletes the
-  previous attribute `nestings`, and is able to fully capture details of other
-  field sets reused under this one. #864
-* When chained reuses are needed (e.g. `group` => `user`, then `user` => many places),
-  it's now necessary to force the order with new attribute `reusable.order`. This
-  attribute is otherwise optional. It's currently only needed for `group`. #864
-* There's a new representation of ECS at `generated/ecs/ecs.yml`, which is a deeply nested
-  representation of the fields. This file is not in git, as it's only meant for
-  developers working on the ECS tools. #864
-* Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
-* Intermediate `ecs_flat.yml` and `ecs_nested.yml` files are now generated for each individual subset,
-  in addition to the intermediate files generated for the combined subset. #873
 * Field details Jinja2 template components have been consolidated into one template #897
 
 #### Deprecated

From 357ce2431baf9acbafaf670c98312b0b33bad8fd Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 31 Aug 2020 17:12:58 -0500
Subject: [PATCH 07/90] [1.x] Add threat.technique.subtechnique (#951) (#956)

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
---
 CHANGELOG.next.md                       |  2 +
 code/go/ecs/threat.go                   | 39 +++++++----
 docs/field-details.asciidoc             | 78 ++++++++++++++++++----
 generated/beats/fields.ecs.yml          | 53 +++++++++++----
 generated/csv/fields.csv                | 18 +++--
 generated/ecs/ecs_flat.yml              | 69 +++++++++++++++----
 generated/ecs/ecs_nested.yml            | 69 +++++++++++++++----
 generated/elasticsearch/6/template.json | 22 ++++++
 generated/elasticsearch/7/template.json | 22 ++++++
 schemas/threat.yml                      | 89 ++++++++++++++++++-------
 10 files changed, 367 insertions(+), 94 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index be22c73fed..cadc21ef98 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,6 +10,8 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
+* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951
+
 #### Breaking changes
 
 #### Bugfixes
diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go
index a77aa888e1..0df5e08049 100644
--- a/code/go/ecs/threat.go
+++ b/code/go/ecs/threat.go
@@ -34,30 +34,45 @@ type Threat struct {
 	// retrospectively tagged to events.
 	Framework string `ecs:"framework"`
 
+	// The id of tactic used by this threat. You can use a MITRE ATT&CK®
+	// tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+	TacticID string `ecs:"tactic.id"`
+
 	// Name of the type of tactic used by this threat. You can use a MITRE
 	// ATT&CK® tactic, for example. (ex.
-	// https://attack.mitre.org/tactics/TA0040/)
+	// https://attack.mitre.org/tactics/TA0002/)
 	TacticName string `ecs:"tactic.name"`
 
-	// The id of tactic used by this threat. You can use a MITRE ATT&CK®
-	// tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
-	TacticID string `ecs:"tactic.id"`
-
 	// The reference url of tactic used by this threat. You can use a MITRE
 	// ATT&CK® tactic, for example. (ex.
-	// https://attack.mitre.org/tactics/TA0040/ )
+	// https://attack.mitre.org/tactics/TA0002/ )
 	TacticReference string `ecs:"tactic.reference"`
 
-	// The name of technique used by this threat. You can use a MITRE ATT&CK®
-	// technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
-	TechniqueName string `ecs:"technique.name"`
-
 	// The id of technique used by this threat. You can use a MITRE ATT&CK®
-	// technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
+	// technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 	TechniqueID string `ecs:"technique.id"`
 
+	// The name of technique used by this threat. You can use a MITRE ATT&CK®
+	// technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+	TechniqueName string `ecs:"technique.name"`
+
 	// The reference url of technique used by this threat. You can use a MITRE
 	// ATT&CK® technique, for example. (ex.
-	// https://attack.mitre.org/techniques/T1499/ )
+	// https://attack.mitre.org/techniques/T1059/)
 	TechniqueReference string `ecs:"technique.reference"`
+
+	// The full id of subtechnique used by this threat. You can use a MITRE
+	// ATT&CK® subtechnique, for example. (ex.
+	// https://attack.mitre.org/techniques/T1059/001/)
+	TechniqueSubtechniqueID string `ecs:"technique.subtechnique.id"`
+
+	// The name of subtechnique used by this threat. You can use a MITRE
+	// ATT&CK® subtechnique, for example. (ex.
+	// https://attack.mitre.org/techniques/T1059/001/)
+	TechniqueSubtechniqueName string `ecs:"technique.subtechnique.name"`
+
+	// The reference url of subtechnique used by this threat. You can use a
+	// MITRE ATT&CK® subtechnique, for example. (ex.
+	// https://attack.mitre.org/techniques/T1059/001/)
+	TechniqueSubtechniqueReference string `ecs:"technique.subtechnique.reference"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 3e38c16c45..b39f2c2949 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -5418,7 +5418,7 @@ example: `MITRE ATT&CK`
 // ===============================================================
 
 | threat.tactic.id
-| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
 
 type: keyword
 
@@ -5427,14 +5427,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `TA0040`
+example: `TA0002`
 
 | extended
 
 // ===============================================================
 
 | threat.tactic.name
-| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)
+| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
 
 type: keyword
 
@@ -5443,14 +5443,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `impact`
+example: `Execution`
 
 | extended
 
 // ===============================================================
 
 | threat.tactic.reference
-| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
 
 type: keyword
 
@@ -5459,14 +5459,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `https://attack.mitre.org/tactics/TA0040/`
+example: `https://attack.mitre.org/tactics/TA0002/`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.id
-| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
+| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
 
@@ -5475,14 +5475,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `T1499`
+example: `T1059`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.name
-| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
+| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
 
@@ -5497,14 +5497,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `Endpoint Denial of Service`
+example: `Command and Scripting Interpreter`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.reference
-| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
+| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
 
@@ -5513,7 +5513,61 @@ Note: this field should contain an array of values.
 
 
 
-example: `https://attack.mitre.org/techniques/T1499/`
+example: `https://attack.mitre.org/techniques/T1059/`
+
+| extended
+
+// ===============================================================
+
+| threat.technique.subtechnique.id
+| The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `T1059.001`
+
+| extended
+
+// ===============================================================
+
+| threat.technique.subtechnique.name
+| The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+type: keyword
+
+Multi-fields:
+
+* threat.technique.subtechnique.name.text (type: text)
+
+
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `PowerShell`
+
+| extended
+
+// ===============================================================
+
+| threat.technique.subtechnique.reference
+| The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `https://attack.mitre.org/techniques/T1059/001/`
 
 | extended
 
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 28c195fff2..782d1fdd50 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -4538,30 +4538,30 @@
       type: keyword
       ignore_above: 1024
       description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
-      example: TA0040
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+      example: TA0002
     - name: tactic.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: "Name of the type of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
-      example: impact
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+      example: Execution
     - name: tactic.reference
       level: extended
       type: keyword
       ignore_above: 1024
       description: "The reference url of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
         \ )"
-      example: https://attack.mitre.org/tactics/TA0040/
+      example: https://attack.mitre.org/tactics/TA0002/
     - name: technique.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-      example: T1499
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: T1059
     - name: technique.name
       level: extended
       type: keyword
@@ -4572,16 +4572,43 @@
         norms: false
         default_field: false
       description: "The name of technique used by this threat. You can use a MITRE\
-        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-      example: Endpoint Denial of Service
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: Command and Scripting Interpreter
     - name: technique.reference
       level: extended
       type: keyword
       ignore_above: 1024
       description: "The reference url of technique used by this threat. You can use\
-        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
-        \ )"
-      example: https://attack.mitre.org/techniques/T1499/
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: https://attack.mitre.org/techniques/T1059/
+    - name: technique.subtechnique.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The full id of subtechnique used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: T1059.001
+      default_field: false
+    - name: technique.subtechnique.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: "The name of subtechnique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: PowerShell
+      default_field: false
+    - name: technique.subtechnique.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The reference url of subtechnique used by this threat. You can\
+        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: https://attack.mitre.org/techniques/T1059/001/
+      default_field: false
   - name: tls
     title: TLS
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 9487929101..593be1ee68 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -534,13 +534,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
-1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
-1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
-1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
-1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
+1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
 1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index f8110a362b..08a1c79cb4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -6850,8 +6850,8 @@ threat.framework:
 threat.tactic.id:
   dashed_name: threat-tactic-id
   description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
-    \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
-  example: TA0040
+    \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+  example: TA0002
   flat_name: threat.tactic.id
   ignore_above: 1024
   level: extended
@@ -6863,8 +6863,8 @@ threat.tactic.id:
 threat.tactic.name:
   dashed_name: threat-tactic-name
   description: "Name of the type of tactic used by this threat. You can use a MITRE\
-    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
-  example: impact
+    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+  example: Execution
   flat_name: threat.tactic.name
   ignore_above: 1024
   level: extended
@@ -6876,9 +6876,9 @@ threat.tactic.name:
 threat.tactic.reference:
   dashed_name: threat-tactic-reference
   description: "The reference url of tactic used by this threat. You can use a MITRE\
-    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
+    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
     \ )"
-  example: https://attack.mitre.org/tactics/TA0040/
+  example: https://attack.mitre.org/tactics/TA0002/
   flat_name: threat.tactic.reference
   ignore_above: 1024
   level: extended
@@ -6890,8 +6890,8 @@ threat.tactic.reference:
 threat.technique.id:
   dashed_name: threat-technique-id
   description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
-    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-  example: T1499
+    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+  example: T1059
   flat_name: threat.technique.id
   ignore_above: 1024
   level: extended
@@ -6903,8 +6903,8 @@ threat.technique.id:
 threat.technique.name:
   dashed_name: threat-technique-name
   description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\
-    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-  example: Endpoint Denial of Service
+    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+  example: Command and Scripting Interpreter
   flat_name: threat.technique.name
   ignore_above: 1024
   level: extended
@@ -6921,9 +6921,8 @@ threat.technique.name:
 threat.technique.reference:
   dashed_name: threat-technique-reference
   description: "The reference url of technique used by this threat. You can use a\
-    \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
-    \ )"
-  example: https://attack.mitre.org/techniques/T1499/
+    \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+  example: https://attack.mitre.org/techniques/T1059/
   flat_name: threat.technique.reference
   ignore_above: 1024
   level: extended
@@ -6932,6 +6931,50 @@ threat.technique.reference:
   - array
   short: Threat technique URL reference.
   type: keyword
+threat.technique.subtechnique.id:
+  dashed_name: threat-technique-subtechnique-id
+  description: "The full id of subtechnique used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+  example: T1059.001
+  flat_name: threat.technique.subtechnique.id
+  ignore_above: 1024
+  level: extended
+  name: technique.subtechnique.id
+  normalize:
+  - array
+  short: Threat subtechnique id.
+  type: keyword
+threat.technique.subtechnique.name:
+  dashed_name: threat-technique-subtechnique-name
+  description: "The name of subtechnique used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+  example: PowerShell
+  flat_name: threat.technique.subtechnique.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: threat.technique.subtechnique.name.text
+    name: text
+    norms: false
+    type: text
+  name: technique.subtechnique.name
+  normalize:
+  - array
+  short: Threat subtechnique name.
+  type: keyword
+threat.technique.subtechnique.reference:
+  dashed_name: threat-technique-subtechnique-reference
+  description: "The reference url of subtechnique used by this threat. You can use\
+    \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+  example: https://attack.mitre.org/techniques/T1059/001/
+  flat_name: threat.technique.subtechnique.reference
+  ignore_above: 1024
+  level: extended
+  name: technique.subtechnique.reference
+  normalize:
+  - array
+  short: Threat subtechnique URL reference.
+  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 13b273fcfb..926f834242 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -8022,8 +8022,8 @@ threat:
     threat.tactic.id:
       dashed_name: threat-tactic-id
       description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
-      example: TA0040
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+      example: TA0002
       flat_name: threat.tactic.id
       ignore_above: 1024
       level: extended
@@ -8035,8 +8035,8 @@ threat:
     threat.tactic.name:
       dashed_name: threat-tactic-name
       description: "Name of the type of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
-      example: impact
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+      example: Execution
       flat_name: threat.tactic.name
       ignore_above: 1024
       level: extended
@@ -8048,9 +8048,9 @@ threat:
     threat.tactic.reference:
       dashed_name: threat-tactic-reference
       description: "The reference url of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
         \ )"
-      example: https://attack.mitre.org/tactics/TA0040/
+      example: https://attack.mitre.org/tactics/TA0002/
       flat_name: threat.tactic.reference
       ignore_above: 1024
       level: extended
@@ -8062,8 +8062,8 @@ threat:
     threat.technique.id:
       dashed_name: threat-technique-id
       description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-      example: T1499
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: T1059
       flat_name: threat.technique.id
       ignore_above: 1024
       level: extended
@@ -8075,8 +8075,8 @@ threat:
     threat.technique.name:
       dashed_name: threat-technique-name
       description: "The name of technique used by this threat. You can use a MITRE\
-        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-      example: Endpoint Denial of Service
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: Command and Scripting Interpreter
       flat_name: threat.technique.name
       ignore_above: 1024
       level: extended
@@ -8093,9 +8093,8 @@ threat:
     threat.technique.reference:
       dashed_name: threat-technique-reference
       description: "The reference url of technique used by this threat. You can use\
-        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
-        \ )"
-      example: https://attack.mitre.org/techniques/T1499/
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: https://attack.mitre.org/techniques/T1059/
       flat_name: threat.technique.reference
       ignore_above: 1024
       level: extended
@@ -8104,6 +8103,50 @@ threat:
       - array
       short: Threat technique URL reference.
       type: keyword
+    threat.technique.subtechnique.id:
+      dashed_name: threat-technique-subtechnique-id
+      description: "The full id of subtechnique used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: T1059.001
+      flat_name: threat.technique.subtechnique.id
+      ignore_above: 1024
+      level: extended
+      name: technique.subtechnique.id
+      normalize:
+      - array
+      short: Threat subtechnique id.
+      type: keyword
+    threat.technique.subtechnique.name:
+      dashed_name: threat-technique-subtechnique-name
+      description: "The name of subtechnique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: PowerShell
+      flat_name: threat.technique.subtechnique.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.technique.subtechnique.name.text
+        name: text
+        norms: false
+        type: text
+      name: technique.subtechnique.name
+      normalize:
+      - array
+      short: Threat subtechnique name.
+      type: keyword
+    threat.technique.subtechnique.reference:
+      dashed_name: threat-technique-subtechnique-reference
+      description: "The reference url of subtechnique used by this threat. You can\
+        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: https://attack.mitre.org/techniques/T1059/001/
+      flat_name: threat.technique.subtechnique.reference
+      ignore_above: 1024
+      level: extended
+      name: technique.subtechnique.reference
+      normalize:
+      - array
+      short: Threat subtechnique URL reference.
+      type: keyword
   group: 2
   name: threat
   prefix: threat.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 6f98745d9b..b16d3576ce 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -2571,6 +2571,28 @@
                 "reference": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "subtechnique": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
                 }
               }
             }
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 177889f92d..08071d1b91 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -2570,6 +2570,28 @@
               "reference": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "subtechnique": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
               }
             }
           }
diff --git a/schemas/threat.yml b/schemas/threat.yml
index d24fa0fc75..62477b28a1 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -24,39 +24,53 @@
 
       example: MITRE ATT&CK
 
-    - name: tactic.name
+    - name: tactic.id
       level: extended
       type: keyword
-      short: Threat tactic.
+      short: Threat tactic id.
       description: >
-          Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
-          (ex. https://attack.mitre.org/tactics/TA0040/)
+          The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
+          (ex. https://attack.mitre.org/tactics/TA0002/ )
 
-      example: impact
+      example: TA0002
       normalize:
         - array
 
-    - name: tactic.id
+    - name: tactic.name
       level: extended
       type: keyword
-      short: Threat tactic id.
+      short: Threat tactic.
       description: >
-          The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
-          (ex. https://attack.mitre.org/tactics/TA0040/ )
+          Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
+          (ex. https://attack.mitre.org/tactics/TA0002/)
 
-      example: TA0040
+      example: Execution
       normalize:
         - array
 
+
     - name: tactic.reference
       level: extended
       type: keyword
       short: Threat tactic URL reference.
       description: >
           The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
-          (ex. https://attack.mitre.org/tactics/TA0040/ )
+          (ex. https://attack.mitre.org/tactics/TA0002/ )
 
-      example: https://attack.mitre.org/tactics/TA0040/
+      example: https://attack.mitre.org/tactics/TA0002/
+      normalize:
+        - array
+
+
+    - name: technique.id
+      level: extended
+      type: keyword
+      short: Threat technique id.
+      description: >
+          The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
+          (ex. https://attack.mitre.org/techniques/T1059/)
+
+      example: T1059
       normalize:
         - array
 
@@ -69,32 +83,59 @@
       short: Threat technique name.
       description: >
           The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
-          (ex. https://attack.mitre.org/techniques/T1499/)
+          (ex. https://attack.mitre.org/techniques/T1059/)
 
-      example: Endpoint Denial of Service
+      example: Command and Scripting Interpreter
       normalize:
         - array
 
-    - name: technique.id
+    - name: technique.reference
       level: extended
       type: keyword
-      short: Threat technique id.
+      short: Threat technique URL reference.
       description: >
-          The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
-          (ex. https://attack.mitre.org/techniques/T1499/)
+          The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
+          (ex. https://attack.mitre.org/techniques/T1059/)
 
-      example: T1499
+      example: https://attack.mitre.org/techniques/T1059/
       normalize:
         - array
 
-    - name: technique.reference
+    - name: technique.subtechnique.id
       level: extended
       type: keyword
-      short: Threat technique URL reference.
+      short: Threat subtechnique id.
       description: >
-          The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
-          (ex. https://attack.mitre.org/techniques/T1499/ )
+          The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
+          (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+      example: T1059.001
+      normalize:
+        - array
+
+    - name: technique.subtechnique.name
+      level: extended
+      type: keyword
+      multi_fields:
+      - type: text
+        name: text
+      short: Threat subtechnique name.
+      description: >
+          The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
+          (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+      example: PowerShell
+      normalize:
+        - array
+
+    - name: technique.subtechnique.reference
+      level: extended
+      type: keyword
+      short: Threat subtechnique URL reference.
+      description: >
+          The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
+          (ex. https://attack.mitre.org/techniques/T1059/001/)
 
-      example: https://attack.mitre.org/techniques/T1499/
+      example: https://attack.mitre.org/techniques/T1059/001/
       normalize:
         - array

From 9c4fc4ceb0e339d8f26a1b582bdab3aaba664427 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 4 Sep 2020 09:38:08 -0500
Subject: [PATCH 08/90] [1.x] Nest as for foreign reuse (#960) (#962)

---
 CHANGELOG.next.md                           |  2 ++
 scripts/schema/finalizer.py                 |  4 ++-
 scripts/tests/unit/test_schema_finalizer.py | 36 ++++++++++++++++++++-
 3 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index cadc21ef98..9f227041e0 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -30,6 +30,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960
+
 #### Added
 
 #### Improvements
diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py
index 45abb6a3a9..3d1c7202b2 100644
--- a/scripts/schema/finalizer.py
+++ b/scripts/schema/finalizer.py
@@ -57,17 +57,19 @@ def perform_reuse(fields):
             schema = fields[schema_name]
             for reuse_entry in reuse_entries:
                 # print(order, "{} => {}".format(schema_name, reuse_entry['full']))
+                nest_as = reuse_entry['as']
                 destination_schema_name = reuse_entry['full'].split('.')[0]
                 destination_schema = fields[destination_schema_name]
                 ensure_valid_reuse(schema, destination_schema)
 
                 new_field_details = copy.deepcopy(schema['field_details'])
+                new_field_details['name'] = nest_as
                 new_field_details['original_fieldset'] = schema_name
                 new_field_details['intermediate'] = True
                 reused_fields = copy.deepcopy(schema['fields'])
                 set_original_fieldset(reused_fields, schema_name)
                 destination_fields = field_group_at_path(reuse_entry['at'], fields)
-                destination_fields[schema_name] = {
+                destination_fields[nest_as] = {
                     'field_details': new_field_details,
                     'fields': reused_fields,
                 }
diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py
index 64f3f25458..8a193a0454 100644
--- a/scripts/tests/unit/test_schema_finalizer.py
+++ b/scripts/tests/unit/test_schema_finalizer.py
@@ -47,6 +47,8 @@ def schema_process(self):
                         'order': 2,
                         'expected': [
                             {'full': 'process.parent', 'at': 'process', 'as': 'parent'},
+                            {'full': 'reuse.process', 'at': 'reuse', 'as': 'process'},
+                            {'full': 'reuse.process.parent', 'at': 'reuse.process', 'as': 'parent'},
                         ]
                     }
                 },
@@ -143,30 +145,57 @@ def schema_server(self):
             }
         }
 
+    def schema_process_reuse(self):
+        return {
+            'reuse': {
+                'schema_details': {
+                    'title': 'Reuse',
+                    'root': False
+                },
+                'field_details': {
+                    'name': 'Reuse',
+                    'node_name': 'Reuse',
+                    'short': 'reuse example',
+                },
+                'fields': {
+                    'pid': {
+                        'field_details': {
+                            'name': 'pid',
+                            'node_name': 'pid',
+                        }
+                    }
+                }
+            }
+        }
+
     # perform_reuse
 
     def test_perform_reuse_with_foreign_reuse_and_self_reuse(self):
-        fields = {**self.schema_user(), **self.schema_server(), **self.schema_process()}
+        fields = {**self.schema_user(), **self.schema_server(), **self.schema_process(), **self.schema_process_reuse()}
         # If the test had multiple foreign destinations for user fields, we could compare them together instead
         finalizer.perform_reuse(fields)
         process_fields = fields['process']['fields']
         server_fields = fields['server']['fields']
         user_fields = fields['user']['fields']
+        process_reuse_fields = fields['reuse']['fields']['process']['fields']
         # Expected reuse
         self.assertIn('parent', process_fields)
         self.assertIn('user', server_fields)
         self.assertIn('target', user_fields)
         self.assertIn('effective', user_fields)
+        self.assertIn('parent', process_reuse_fields)
         # Sanity check for presence of leaf fields, after performing reuse
         self.assertIn('name', user_fields['target']['fields'])
         self.assertIn('name', user_fields['effective']['fields'])
         self.assertIn('name', server_fields['user']['fields'])
         self.assertIn('pid', process_fields['parent']['fields'])
+        self.assertIn('pid', process_reuse_fields['parent']['fields'])
         # Ensure the parent field of reused fields is marked as intermediate
         self.assertTrue(server_fields['user']['field_details']['intermediate'])
         self.assertTrue(process_fields['parent']['field_details']['intermediate'])
         self.assertTrue(user_fields['target']['field_details']['intermediate'])
         self.assertTrue(user_fields['effective']['field_details']['intermediate'])
+        self.assertTrue(process_reuse_fields['parent']['field_details']['intermediate'])
         # No unexpected cross-nesting
         self.assertNotIn('target', user_fields['target']['fields'])
         self.assertNotIn('target', user_fields['effective']['fields'])
@@ -176,6 +205,7 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self):
         self.assertIn('user.effective', fields['user']['schema_details']['nestings'])
         self.assertIn('user.target', fields['user']['schema_details']['nestings'])
         self.assertIn('server.user', fields['server']['schema_details']['nestings'])
+        self.assertIn('reuse.process.parent', fields['reuse']['schema_details']['nestings'])
         # Attribute 'reused_here' lists nestings inside a destination schema
         self.assertIn({'full': 'process.parent', 'schema_name': 'process', 'short': 'short desc'},
                       fields['process']['schema_details']['reused_here'])
@@ -185,6 +215,8 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self):
                       fields['user']['schema_details']['reused_here'])
         self.assertIn({'full': 'server.user', 'schema_name': 'user', 'short': 'short desc'},
                       fields['server']['schema_details']['reused_here'])
+        self.assertIn({'full': 'reuse.process.parent', 'schema_name': 'process', 'short': 'short desc'},
+                      fields['reuse']['schema_details']['reused_here'])
         # Reused fields have an indication they're reused
         self.assertEqual(process_fields['parent']['field_details']['original_fieldset'], 'process',
                          "The parent field of reused fields should have 'original_fieldset' populated")
@@ -193,6 +225,8 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self):
         self.assertEqual(server_fields['user']['field_details']['original_fieldset'], 'user',
                          "The parent field of foreign reused fields should have 'original_fieldset' populated")
         self.assertEqual(server_fields['user']['fields']['name']['field_details']['original_fieldset'], 'user')
+        self.assertEqual(process_reuse_fields['parent']['field_details']['original_fieldset'], 'process',
+                         "The parent field of reused fields should have 'original_fieldset' populated")
         # Original fieldset's fields must not be marked with 'original_fieldset='
         self.assertNotIn('original_fieldset', user_fields['name']['field_details'])
         self.assertNotIn('original_fieldset', process_fields['pid']['field_details'])

From 3eb6d9962c9a551467389e5cd2e110e5592d2a3a Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 8 Sep 2020 14:55:48 -0500
Subject: [PATCH 09/90] [1.x] Remove `expected_event_types` from protocol
 (#964) (#965)

---
 CHANGELOG.next.md            | 2 ++
 docs/field-values.asciidoc   | 4 ----
 generated/ecs/ecs_flat.yml   | 6 ------
 generated/ecs/ecs_nested.yml | 6 ------
 schemas/event.yml            | 6 ------
 5 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9f227041e0..f7780503be 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964
+
 #### Added
 
 * Added Mime Type fields to HTTP request and response. #944
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 03a74e16cd..4e4bb8a61e 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -439,10 +439,6 @@ The installation event type is used for the subset of events within a category t
 The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field.
 
 
-*Expected event types for category protocol:*
-
-access, change, end, info, start
-
 
 [float]
 [[ecs-event-type-start]]
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 08a1c79cb4..c27228d794 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -2298,12 +2298,6 @@ event.type:
       indicate the name or id of the protocol should not use the protocol value. Further
       note that when the protocol subcategory is used, the identified protocol is
       populated in the ECS `network.protocol` field.
-    expected_event_types:
-    - access
-    - change
-    - end
-    - info
-    - start
     name: protocol
   - description: The start event type is used for the subset of events within a category
       that indicate something has started. A common example is `event.category:process
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 926f834242..8ed5b86a80 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2701,12 +2701,6 @@ event:
           should not use the protocol value. Further note that when the protocol subcategory
           is used, the identified protocol is populated in the ECS `network.protocol`
           field.
-        expected_event_types:
-        - access
-        - change
-        - end
-        - info
-        - start
         name: protocol
       - description: The start event type is used for the subset of events within
           a category that indicate something has started. A common example is `event.category:process
diff --git a/schemas/event.yml b/schemas/event.yml
index 4d18ae2c86..74e99b99fe 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -469,12 +469,6 @@
             Note that events that only indicate the name or id of the protocol should not use the protocol value.
             Further note that when the protocol subcategory is used, the identified protocol is populated in
             the ECS `network.protocol` field.
-          expected_event_types:
-            - access
-            - change
-            - end
-            - info
-            - start
         - name: start
           description: >
             The start event type is used for the subset of events within a category

From d5820b9981449c269571d12bc8c75d4f51bf0721 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 23 Sep 2020 11:38:13 -0500
Subject: [PATCH 10/90] [1.x] Expand definitions of source and destination
 field sets (#967) (#973)

---
 CHANGELOG.next.md              |  2 ++
 code/go/ecs/destination.go     |  9 ++++++++-
 code/go/ecs/source.go          |  9 ++++++++-
 docs/field-details.asciidoc    |  8 ++++----
 generated/beats/fields.ecs.yml | 24 ++++++++++++++++++------
 generated/ecs/ecs_nested.yml   | 24 ++++++++++++++++++------
 schemas/destination.yml        |  8 ++++++--
 schemas/source.yml             |  8 ++++++--
 8 files changed, 70 insertions(+), 22 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index f7780503be..4f624151f1 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -24,6 +24,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Expanded field set definitions for `source.*` and `destination.*`. #967
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go
index b283ec3b2f..e3417e5bb9 100644
--- a/code/go/ecs/destination.go
+++ b/code/go/ecs/destination.go
@@ -19,8 +19,15 @@
 
 package ecs
 
-// Destination fields describe details about the destination of a packet/event.
+// Destination fields capture details about the receiver of a network
+// exchange/packet. These fields are populated from a network event, packet, or
+// other event containing details of a network transaction.
 // Destination fields are usually populated in conjunction with source fields.
+// The source and destination fields are considered the baseline and should
+// always be filled if an event contains source and destination details from a
+// network transaction. If the event also contains identification of the client
+// and server roles, then the client and server fields should also be
+// populated.
 type Destination struct {
 	// Some event destination addresses are defined ambiguously. The event will
 	// sometimes list an IP, a domain or a unix socket.  You should always
diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go
index 8fe352bc72..f8ab84d581 100644
--- a/code/go/ecs/source.go
+++ b/code/go/ecs/source.go
@@ -19,8 +19,15 @@
 
 package ecs
 
-// Source fields describe details about the source of a packet/event.
+// Source fields capture details about the sender of a network exchange/packet.
+// These fields are populated from a network event, packet, or other event
+// containing details of a network transaction.
 // Source fields are usually populated in conjunction with destination fields.
+// The source and destination fields are considered the baseline and should
+// always be filled if an event contains source and destination details from a
+// network transaction. If the event also contains identification of the client
+// and server roles, then the client and server fields should also be
+// populated.
 type Source struct {
 	// Some event source addresses are defined ambiguously. The event will
 	// sometimes list an IP, a domain or a unix socket.  You should always
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index b39f2c2949..da97a3c5f8 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -803,9 +803,9 @@ example: `docker`
 [[ecs-destination]]
 === Destination Fields
 
-Destination fields describe details about the destination of a packet/event.
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
 
-Destination fields are usually populated in conjunction with source fields.
+Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
 
 ==== Destination Field Details
 
@@ -5185,9 +5185,9 @@ example: `3.2.4`
 [[ecs-source]]
 === Source Fields
 
-Source fields describe details about the source of a packet/event.
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
 
-Source fields are usually populated in conjunction with destination fields.
+Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
 
 ==== Source Field Details
 
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 782d1fdd50..c632daaead 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -562,9 +562,15 @@
   - name: destination
     title: Destination
     group: 2
-    description: 'Destination fields describe details about the destination of a packet/event.
-
-      Destination fields are usually populated in conjunction with source fields.'
+    description: 'Destination fields capture details about the receiver of a network
+      exchange/packet. These fields are populated from a network event, packet, or
+      other event containing details of a network transaction.
+
+      Destination fields are usually populated in conjunction with source fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
     type: group
     fields:
     - name: address
@@ -4286,9 +4292,15 @@
   - name: source
     title: Source
     group: 2
-    description: 'Source fields describe details about the source of a packet/event.
-
-      Source fields are usually populated in conjunction with destination fields.'
+    description: 'Source fields capture details about the sender of a network exchange/packet.
+      These fields are populated from a network event, packet, or other event containing
+      details of a network transaction.
+
+      Source fields are usually populated in conjunction with destination fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
     type: group
     fields:
     - name: address
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8ed5b86a80..490b00eb74 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -957,9 +957,15 @@ container:
   title: Container
   type: group
 destination:
-  description: 'Destination fields describe details about the destination of a packet/event.
-
-    Destination fields are usually populated in conjunction with source fields.'
+  description: 'Destination fields capture details about the receiver of a network
+    exchange/packet. These fields are populated from a network event, packet, or other
+    event containing details of a network transaction.
+
+    Destination fields are usually populated in conjunction with source fields. The
+    source and destination fields are considered the baseline and should always be
+    filled if an event contains source and destination details from a network transaction.
+    If the event also contains identification of the client and server roles, then
+    the client and server fields should also be populated.'
   fields:
     destination.address:
       dashed_name: destination-address
@@ -7570,9 +7576,15 @@ service:
   title: Service
   type: group
 source:
-  description: 'Source fields describe details about the source of a packet/event.
-
-    Source fields are usually populated in conjunction with destination fields.'
+  description: 'Source fields capture details about the sender of a network exchange/packet.
+    These fields are populated from a network event, packet, or other event containing
+    details of a network transaction.
+
+    Source fields are usually populated in conjunction with destination fields. The
+    source and destination fields are considered the baseline and should always be
+    filled if an event contains source and destination details from a network transaction.
+    If the event also contains identification of the client and server roles, then
+    the client and server fields should also be populated.'
   fields:
     source.address:
       dashed_name: source-address
diff --git a/schemas/destination.yml b/schemas/destination.yml
index 2400f3745e..42d3e154d5 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -4,9 +4,13 @@
   group: 2
   short: Fields about the destination side of a network connection, used with source.
   description: >
-    Destination fields describe details about the destination of a packet/event.
+    Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from
+    a network event, packet, or other event containing details of a network transaction.
 
-    Destination fields are usually populated in conjunction with source fields.
+    Destination fields are usually populated in conjunction with source fields. The source and destination
+    fields are considered the baseline and should always be filled if an event contains source
+    and destination details from a network transaction. If the event also contains identification of the
+    client and server roles, then the client and server fields should also be populated.
   type: group
   fields:
 
diff --git a/schemas/source.yml b/schemas/source.yml
index 05379a48c3..65539b3d60 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -4,9 +4,13 @@
   group: 2
   short: Fields about the source side of a network connection, used with destination.
   description: >
-    Source fields describe details about the source of a packet/event.
+    Source fields capture details about the sender of a network exchange/packet. These fields are populated from
+    a network event, packet, or other event containing details of a network transaction.
 
-    Source fields are usually populated in conjunction with destination fields.
+    Source fields are usually populated in conjunction with destination fields. The source and destination
+    fields are considered the baseline and should always be filled if an event contains source
+    and destination details from a network transaction. If the event also contains identification of the
+    client and server roles, then the client and server fields should also be populated.
   type: group
   fields:
 

From e6ba4c43fe40f7e4cd5dfd09568cacc12281e3ca Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 23 Sep 2020 14:18:43 -0500
Subject: [PATCH 11/90] [1.x] Introduce `--strict` flag (#937) (#975)

---
 CHANGELOG.next.md                         |  5 ++-
 Makefile                                  |  2 +-
 USAGE.md                                  | 45 +++++++++++++++++++++++
 scripts/generator.py                      |  4 +-
 scripts/generators/ecs_helpers.py         | 15 ++++++++
 scripts/schema/cleaner.py                 | 18 ++++++---
 scripts/tests/unit/test_schema_cleaner.py | 20 ++++++++++
 7 files changed, 99 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 4f624151f1..1984f60434 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,8 +10,6 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
-* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951
-
 #### Breaking changes
 
 #### Bugfixes
@@ -21,6 +19,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Added Mime Type fields to HTTP request and response. #944
+* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
 
 #### Improvements
 
@@ -38,6 +37,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
+
 #### Improvements
 
 * Field details Jinja2 template components have been consolidated into one template #897
diff --git a/Makefile b/Makefile
index e2826b46bc..37617d391e 100644
--- a/Makefile
+++ b/Makefile
@@ -61,7 +61,7 @@ generate: legacy_use_cases codegen generator
 # Run the new generator
 .PHONY: generator
 generator:
-	$(PYTHON) scripts/generator.py --include "${INCLUDE}"
+	$(PYTHON) scripts/generator.py --strict --include "${INCLUDE}"
 
 # Generate Go code from the schema.
 .PHONY: gocodegen
diff --git a/USAGE.md b/USAGE.md
index 334879892e..ffa2ca2e06 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -29,6 +29,7 @@ relevant artifacts for their unique set of data sources.
     + [Subset](#subset)
     + [Ref](#ref)
     + [Mapping & Template Settings](#mapping--template-settings)
+    + [Strict Mode](#strict-mode)
     + [Intermediate-Only](#intermediate-only)
 
 ## Terminology
@@ -294,6 +295,50 @@ The `--template-settings` argument defines [index level settings](https://www.el
 
 For `template.json`, the `mappings` object is left empty: `{}`. Likewise the `properties` object remains empty in the `mapping.json` example. This will be filled in automatically by the script.
 
+#### Strict Mode
+
+The `--strict` argument enables "strict mode". Strict mode performs a stricter validation step against the schema's contents.
+
+Basic usage:
+
+```
+$ python/generator.py --strict
+```
+
+Strict mode requires the following conditions, else the script exits on an exception:
+
+* Short descriptions must be less than or equal to 120 characters.
+
+The current artifacts generated and published in the ECS repo will always be created using strict mode. However, older ECS versions (pre `v1.5.0`) will cause
+an exception if attempting to generate them using `--strict`. This is due to schema validation checks introduced after that version was released.
+
+Example:
+
+```
+$ python scripts/generator.py --ref v1.4.0 --strict
+Loading schemas from git ref v1.4.0
+Running generator. ECS version 1.4.0
+...
+ValueError: Short descriptions must be single line, and under 120 characters (current length: 134).
+Offending field or field set: number
+Short description:
+  Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+```
+
+Removing `--strict` will display a warning message, but the script will finish its run successfully:
+
+```
+$ python scripts/generator.py --ref v1.4.0
+Loading schemas from git ref v1.4.0
+Running generator. ECS version 1.4.0
+/Users/ericbeahan/dev/ecs/scripts/generators/ecs_helpers.py:176: UserWarning: Short descriptions must be single line, and under 120 characters (current length: 134).
+Offending field or field set: number
+Short description:
+  Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+This will cause an exception when running in strict mode.
+```
+
 #### Intermediate-Only
 
 The `--intermediate-only` argument is used for debugging purposes. It only generates the ["intermediate files"](generated/ecs), `ecs_flat.yml` and `ecs_nested.yml`, without generating the rest of the artifacts.
diff --git a/scripts/generator.py b/scripts/generator.py
index b7ae2a4b2f..733f4155fe 100644
--- a/scripts/generator.py
+++ b/scripts/generator.py
@@ -41,7 +41,7 @@ def main():
     # ecs_helpers.yaml_dump('ecs.yml', fields)
 
     fields = loader.load_schemas(ref=args.ref, included_files=args.include)
-    cleaner.clean(fields)
+    cleaner.clean(fields, strict=args.strict)
     finalizer.finalize(fields)
     fields = subset_filter.filter(fields, args.subset, out_dir)
     nested, flat = intermediate_files.generate(fields, os.path.join(out_dir, 'ecs'), default_dirs)
@@ -72,6 +72,8 @@ def argument_parser():
                         help='index template settings to use when generating elasticsearch template')
     parser.add_argument('--mapping-settings', action='store',
                         help='mapping settings to use when generating elasticsearch template')
+    parser.add_argument('--strict', action='store_true',
+                        help='enforce stricter checking at schema cleanup')
     args = parser.parse_args()
     # Clean up empty include of the Makefile
     if args.include and [''] == args.include:
diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py
index 911a3c9968..275c0569ac 100644
--- a/scripts/generators/ecs_helpers.py
+++ b/scripts/generators/ecs_helpers.py
@@ -2,6 +2,7 @@
 import os
 import yaml
 import git
+import warnings
 
 from collections import OrderedDict
 from copy import deepcopy
@@ -159,3 +160,17 @@ def list_extract_keys(lst, key_name):
 def is_intermediate(field):
     '''Encapsulates the check to see if a field is an intermediate field or a "real" field.'''
     return ('intermediate' in field['field_details'] and field['field_details']['intermediate'])
+
+
+# Warning helper
+
+
+def strict_warning(msg):
+    """Call warnings.warn(msg) for operations that would throw an Exception
+       if operating in `--strict` mode. Allows a custom message to be passed.
+
+    :param msg: custom text which will be displayed with wrapped boilerplate
+                for strict warning messages.
+    """
+    warn_message = f"{msg}\n\nThis will cause an exception when running in strict mode."
+    warnings.warn(warn_message)
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index ec48598bea..5f62b2daac 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -19,7 +19,9 @@
 # deal with final field names either.
 
 
-def clean(fields):
+def clean(fields, strict=False):
+    global strict_mode
+    strict_mode = strict
     visitor.visit_fields(fields, fieldset_func=schema_cleanup, field_func=field_cleanup)
 
 
@@ -46,7 +48,7 @@ def schema_cleanup(schema):
     else:
         schema['schema_details']['prefix'] = schema['field_details']['name'] + '.'
     normalize_reuse_notation(schema)
-    # Final validity check
+    # Final validity check if in strict mode
     schema_assertions_and_warnings(schema)
 
 
@@ -73,7 +75,7 @@ def schema_mandatory_attributes(schema):
 
 def schema_assertions_and_warnings(schema):
     '''Additional checks on a fleshed out schema'''
-    single_line_short_description(schema)
+    single_line_short_description(schema, strict=strict_mode)
 
 
 def normalize_reuse_notation(schema):
@@ -165,7 +167,8 @@ def field_mandatory_attributes(field):
 def field_assertions_and_warnings(field):
     '''Additional checks on a fleshed out field'''
     if not ecs_helpers.is_intermediate(field):
-        single_line_short_description(field)
+        # check short description length if in strict mode
+        single_line_short_description(field, strict=strict_mode)
         if field['field_details']['level'] not in ACCEPTABLE_FIELD_LEVELS:
             msg = "Invalid level for field '{}'.\nValue: {}\nAcceptable values: {}".format(
                 field['field_details']['name'], field['field_details']['level'],
@@ -178,7 +181,7 @@ def field_assertions_and_warnings(field):
 SHORT_LIMIT = 120
 
 
-def single_line_short_description(schema_or_field):
+def single_line_short_description(schema_or_field, strict=True):
     short_length = len(schema_or_field['field_details']['short'])
     if "\n" in schema_or_field['field_details']['short'] or short_length > SHORT_LIMIT:
         msg = "Short descriptions must be single line, and under {} characters (current length: {}).\n".format(
@@ -186,4 +189,7 @@ def single_line_short_description(schema_or_field):
         msg += "Offending field or field set: {}\nShort description:\n  {}".format(
             schema_or_field['field_details']['name'],
             schema_or_field['field_details']['short'])
-        raise ValueError(msg)
+        if strict:
+            raise ValueError(msg)
+        else:
+            ecs_helpers.strict_warning(msg)
diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py
index ed82218706..4c20fac01f 100644
--- a/scripts/tests/unit/test_schema_cleaner.py
+++ b/scripts/tests/unit/test_schema_cleaner.py
@@ -262,6 +262,26 @@ def test_multiline_short_description_raises(self):
         with self.assertRaisesRegex(ValueError, 'single line'):
             cleaner.single_line_short_description(schema)
 
+    def test_very_long_short_description_warns_strict_disabled(self):
+        schema = {'field_details': {
+            'name': 'fake_schema',
+            'short': "Single line but really long. " * 10}}
+        try:
+            with self.assertWarnsRegex(UserWarning, 'under 120 characters \(current length: 290\)'):
+                cleaner.single_line_short_description(schema, strict=False)
+        except Exception:
+            self.fail("cleaner.single_line_short_description() raised Exception unexpectedly.")
+
+    def test_multiline_short_description_warns_strict_disabled(self):
+        schema = {'field_details': {
+            'name': 'fake_schema',
+            'short': "multiple\nlines"}}
+        try:
+            with self.assertWarnsRegex(UserWarning, 'single line'):
+                cleaner.single_line_short_description(schema, strict=False)
+        except Exception:
+            self.fail("cleaner.single_line_short_description() raised Exception unexpectedly.")
+
     def test_clean(self):
         '''A high level sanity test'''
         fields = self.schema_process()

From 214a01cfcdb65a68f23e402533c913ce2fdc101d Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 23 Sep 2020 14:39:55 -0500
Subject: [PATCH 12/90] [1.x] Add example value composite type checking (#966)
 (#976)

* Add example value composite type checking (#966)
* generate csv artifact
---
 CHANGELOG.next.md                         |  1 +
 USAGE.md                                  |  1 +
 docs/field-details.asciidoc               | 14 +++---
 generated/beats/fields.ecs.yml            | 37 ++++-----------
 generated/csv/fields.csv                  | 16 +++----
 generated/ecs/ecs_flat.yml                | 37 ++++-----------
 generated/ecs/ecs_nested.yml              | 37 ++++-----------
 schemas/README.md                         |  4 +-
 schemas/dns.yml                           |  4 +-
 schemas/process.yml                       |  2 +-
 schemas/rule.yml                          |  2 +-
 schemas/tls.yml                           |  6 +--
 scripts/schema/cleaner.py                 | 16 +++++++
 scripts/tests/unit/test_schema_cleaner.py | 58 +++++++++++++++++++++++
 14 files changed, 128 insertions(+), 107 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1984f60434..d366755da5 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -38,6 +38,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
+* Added check under `--strict` that ensures composite types in example fields are quoted. #966
 
 #### Improvements
 
diff --git a/USAGE.md b/USAGE.md
index ffa2ca2e06..e70da6b14f 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -308,6 +308,7 @@ $ python/generator.py --strict
 Strict mode requires the following conditions, else the script exits on an exception:
 
 * Short descriptions must be less than or equal to 120 characters.
+* Example values containing arrays or objects must be quoted to avoid unexpected YAML interpretation when the schema files or artifacts are relied on downstream.
 
 The current artifacts generated and published in the ECS repo will always be created using strict mode. However, older ECS versions (pre `v1.5.0`) will cause
 an exception if attempting to generate them using `--strict`. This is due to schema validation checks introduced after that version was released.
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index da97a3c5f8..2f06d7194d 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -1211,7 +1211,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['RD', 'RA']`
+example: `["RD", "RA"]`
 
 | extended
 
@@ -1343,7 +1343,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['10.10.10.10', '10.10.10.11']`
+example: `["10.10.10.10", "10.10.10.11"]`
 
 | extended
 
@@ -4205,7 +4205,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['/usr/bin/ssh', '-l', 'user', '10.0.0.16']`
+example: `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]`
 
 | extended
 
@@ -4718,7 +4718,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['Star-Lord']`
+example: `["Star-Lord"]`
 
 | extended
 
@@ -5624,7 +5624,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['MII...', 'MII...']`
+example: `["MII...", "MII..."]`
 
 | extended
 
@@ -5757,7 +5757,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']`
+example: `["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]`
 
 | extended
 
@@ -5838,7 +5838,7 @@ Note: this field should contain an array of values.
 
 
 
-example: `['MII...', 'MII...']`
+example: `["MII...", "MII..."]`
 
 | extended
 
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index c632daaead..573abe8499 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1013,9 +1013,7 @@
       description: 'Array of 2 letter DNS header flags.
 
         Expected values are: AA, TC, RD, RA, AD, CD, DO.'
-      example:
-      - RD
-      - RA
+      example: '["RD", "RA"]'
     - name: id
       level: extended
       type: keyword
@@ -1096,9 +1094,7 @@
         formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
         makes it possible to index them as IP addresses, and makes them easier to
         visualize and query for.'
-      example:
-      - 10.10.10.10
-      - 10.10.10.11
+      example: '["10.10.10.10", "10.10.10.11"]'
     - name: response_code
       level: extended
       type: keyword
@@ -3229,11 +3225,7 @@
         the executable.
 
         May be filtered to protect sensitive information.'
-      example:
-      - /usr/bin/ssh
-      - -l
-      - user
-      - 10.0.0.16
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
     - name: args_count
       level: extended
       type: long
@@ -3376,11 +3368,7 @@
         the executable.
 
         May be filtered to protect sensitive information.'
-      example:
-      - /usr/bin/ssh
-      - -l
-      - user
-      - 10.0.0.16
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       default_field: false
     - name: parent.args_count
       level: extended
@@ -3884,8 +3872,7 @@
       ignore_above: 1024
       description: Name, organization, or pseudonym of the author or authors who created
         the rule used to generate this event.
-      example:
-      - Star-Lord
+      example: '["Star-Lord"]'
       default_field: false
     - name: category
       level: extended
@@ -4652,9 +4639,7 @@
       description: Array of PEM-encoded certificates that make up the certificate
         chain offered by the client. This is usually mutually-exclusive of `client.certificate`
         since that value should be the first certificate in the chain.
-      example:
-      - MII...
-      - MII...
+      example: '["MII...", "MII..."]'
       default_field: false
     - name: client.hash.md5
       level: extended
@@ -4735,10 +4720,8 @@
       type: keyword
       ignore_above: 1024
       description: Array of ciphers offered by the client during the client hello.
-      example:
-      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-      - '...'
+      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "..."]'
       default_field: false
     - name: client.x509.alternative_names
       level: extended
@@ -4955,9 +4938,7 @@
       description: Array of PEM-encoded certificates that make up the certificate
         chain offered by the server. This is usually mutually-exclusive of `server.certificate`
         since that value should be the first certificate in the chain.
-      example:
-      - MII...
-      - MII...
+      example: '["MII...", "MII..."]'
       default_field: false
     - name: server.hash.md5
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 593be1ee68..5b56c77a2a 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -117,7 +117,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
 1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
 1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags.
+1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
 1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
 1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
 1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
@@ -126,7 +126,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
 1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data
+1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
 1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
 1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
 1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
@@ -362,7 +362,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
 1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
 1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.7.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
@@ -381,7 +381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
 1.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
 1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
@@ -447,7 +447,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
 1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
 1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.7.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
+1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
 1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
 1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
 1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
@@ -547,7 +547,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
 1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
 1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
 1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
 1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
@@ -557,7 +557,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
 1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
 1.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello.
+1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
 1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
@@ -587,7 +587,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
 1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
 1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
 1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
 1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
 1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index c27228d794..43a72942f3 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1384,9 +1384,7 @@ dns.header_flags:
   description: 'Array of 2 letter DNS header flags.
 
     Expected values are: AA, TC, RD, RA, AD, CD, DO.'
-  example:
-  - RD
-  - RA
+  example: '["RD", "RA"]'
   flat_name: dns.header_flags
   ignore_above: 1024
   level: extended
@@ -1514,9 +1512,7 @@ dns.resolved_ip:
     it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
     makes it possible to index them as IP addresses, and makes them easier to visualize
     and query for.'
-  example:
-  - 10.10.10.10
-  - 10.10.10.11
+  example: '["10.10.10.10", "10.10.10.11"]'
   flat_name: dns.resolved_ip
   level: extended
   name: resolved_ip
@@ -4777,11 +4773,7 @@ process.args:
     executable.
 
     May be filtered to protect sensitive information.'
-  example:
-  - /usr/bin/ssh
-  - -l
-  - user
-  - 10.0.0.16
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
   flat_name: process.args
   ignore_above: 1024
   level: extended
@@ -5007,11 +4999,7 @@ process.parent.args:
     executable.
 
     May be filtered to protect sensitive information.'
-  example:
-  - /usr/bin/ssh
-  - -l
-  - user
-  - 10.0.0.16
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
   flat_name: process.parent.args
   ignore_above: 1024
   level: extended
@@ -5778,8 +5766,7 @@ rule.author:
   dashed_name: rule-author
   description: Name, organization, or pseudonym of the author or authors who created
     the rule used to generate this event.
-  example:
-  - Star-Lord
+  example: '["Star-Lord"]'
   flat_name: rule.author
   ignore_above: 1024
   level: extended
@@ -6998,9 +6985,7 @@ tls.client.certificate_chain:
   description: Array of PEM-encoded certificates that make up the certificate chain
     offered by the client. This is usually mutually-exclusive of `client.certificate`
     since that value should be the first certificate in the chain.
-  example:
-  - MII...
-  - MII...
+  example: '["MII...", "MII..."]'
   flat_name: tls.client.certificate_chain
   ignore_above: 1024
   level: extended
@@ -7126,10 +7111,8 @@ tls.client.subject:
 tls.client.supported_ciphers:
   dashed_name: tls-client-supported-ciphers
   description: Array of ciphers offered by the client during the client hello.
-  example:
-  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  - '...'
+  example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "..."]'
   flat_name: tls.client.supported_ciphers
   ignore_above: 1024
   level: extended
@@ -7508,9 +7491,7 @@ tls.server.certificate_chain:
   description: Array of PEM-encoded certificates that make up the certificate chain
     offered by the server. This is usually mutually-exclusive of `server.certificate`
     since that value should be the first certificate in the chain.
-  example:
-  - MII...
-  - MII...
+  example: '["MII...", "MII..."]'
   flat_name: tls.server.certificate_chain
   ignore_above: 1024
   level: extended
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 490b00eb74..c56839e37b 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1735,9 +1735,7 @@ dns:
       description: 'Array of 2 letter DNS header flags.
 
         Expected values are: AA, TC, RD, RA, AD, CD, DO.'
-      example:
-      - RD
-      - RA
+      example: '["RD", "RA"]'
       flat_name: dns.header_flags
       ignore_above: 1024
       level: extended
@@ -1866,9 +1864,7 @@ dns:
         formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
         makes it possible to index them as IP addresses, and makes them easier to
         visualize and query for.'
-      example:
-      - 10.10.10.10
-      - 10.10.10.11
+      example: '["10.10.10.10", "10.10.10.11"]'
       flat_name: dns.resolved_ip
       level: extended
       name: resolved_ip
@@ -5824,11 +5820,7 @@ process:
         the executable.
 
         May be filtered to protect sensitive information.'
-      example:
-      - /usr/bin/ssh
-      - -l
-      - user
-      - 10.0.0.16
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       flat_name: process.args
       ignore_above: 1024
       level: extended
@@ -6054,11 +6046,7 @@ process:
         the executable.
 
         May be filtered to protect sensitive information.'
-      example:
-      - /usr/bin/ssh
-      - -l
-      - user
-      - 10.0.0.16
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       flat_name: process.parent.args
       ignore_above: 1024
       level: extended
@@ -6890,8 +6878,7 @@ rule:
       dashed_name: rule-author
       description: Name, organization, or pseudonym of the author or authors who created
         the rule used to generate this event.
-      example:
-      - Star-Lord
+      example: '["Star-Lord"]'
       flat_name: rule.author
       ignore_above: 1024
       level: extended
@@ -8193,9 +8180,7 @@ tls:
       description: Array of PEM-encoded certificates that make up the certificate
         chain offered by the client. This is usually mutually-exclusive of `client.certificate`
         since that value should be the first certificate in the chain.
-      example:
-      - MII...
-      - MII...
+      example: '["MII...", "MII..."]'
       flat_name: tls.client.certificate_chain
       ignore_above: 1024
       level: extended
@@ -8324,10 +8309,8 @@ tls:
     tls.client.supported_ciphers:
       dashed_name: tls-client-supported-ciphers
       description: Array of ciphers offered by the client during the client hello.
-      example:
-      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-      - '...'
+      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "..."]'
       flat_name: tls.client.supported_ciphers
       ignore_above: 1024
       level: extended
@@ -8706,9 +8689,7 @@ tls:
       description: Array of PEM-encoded certificates that make up the certificate
         chain offered by the server. This is usually mutually-exclusive of `server.certificate`
         since that value should be the first certificate in the chain.
-      example:
-      - MII...
-      - MII...
+      example: '["MII...", "MII..."]'
       flat_name: tls.server.certificate_chain
       ignore_above: 1024
       level: extended
diff --git a/schemas/README.md b/schemas/README.md
index 9d1ac97696..c87be195a3 100644
--- a/schemas/README.md
+++ b/schemas/README.md
@@ -125,7 +125,9 @@ Supported keys to describe fields
   Defaults to the main description when absent.
   If the main description has multiple paragraphs, then a 'short' description
   with no newlines is required.
-- example (optional): A single value example of what can be expected in this field
+- example (optional): A single value example of what can be expected in this field.
+  Example values that are composite types (array, object) should be quoted to avoid YAML interpretation
+  in ECS-generated artifacts and other downstream projects depending on the schema.
 - multi\_fields (optional): Specify additional ways to index the field.
 - index (optional): If `False`, means field is not indexed (overrides type)
 - format: Field format that can be used in a Kibana index template.
diff --git a/schemas/dns.yml b/schemas/dns.yml
index 0c396a4a0f..afe11a190a 100644
--- a/schemas/dns.yml
+++ b/schemas/dns.yml
@@ -54,7 +54,7 @@
         Array of 2 letter DNS header flags.
 
         Expected values are: AA, TC, RD, RA, AD, CD, DO.
-      example: [RD, RA]
+      example: "[\"RD\", \"RA\"]"
       normalize:
         - array
 
@@ -205,6 +205,6 @@
         data formats it can contain. Extracting all IP addresses seen in there to
         `dns.resolved_ip` makes it possible to index them as IP addresses, and
         makes them easier to visualize and query for.
-      example: [10.10.10.10, 10.10.10.11]
+      example: '["10.10.10.10", "10.10.10.11"]'
       normalize:
         - array
diff --git a/schemas/process.yml b/schemas/process.yml
index b8f1f4b11e..13ec63c07f 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -92,7 +92,7 @@
         Array of process arguments, starting with the absolute path to the executable.
 
         May be filtered to protect sensitive information.
-      example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+      example: "[\"/usr/bin/ssh\", \"-l\", \"user\", \"10.0.0.16\"]"
       normalize:
         - array
 
diff --git a/schemas/rule.yml b/schemas/rule.yml
index a9f6966705..c0daf79892 100644
--- a/schemas/rule.yml
+++ b/schemas/rule.yml
@@ -88,7 +88,7 @@
       description: >
         Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
 
-      example: ['Star-Lord']
+      example: "[\"Star-Lord\"]"
       normalize:
         - array
 
diff --git a/schemas/tls.yml b/schemas/tls.yml
index 569f09d54a..3ecacb041a 100644
--- a/schemas/tls.yml
+++ b/schemas/tls.yml
@@ -73,7 +73,7 @@
       type: keyword
       level: extended
       description: Array of ciphers offered by the client during the client hello.
-      example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]
+      example: "[\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\", \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\", \"...\"]"
       normalize:
         - array
 
@@ -109,7 +109,7 @@
         Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is
         usually mutually-exclusive of `client.certificate` since that value should be the first certificate
         in the chain.
-      example: ["MII...", "MII..."]
+      example: "[\"MII...\", \"MII...\"]"
       normalize:
         - array
 
@@ -188,7 +188,7 @@
         Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is
         usually mutually-exclusive of `server.certificate` since that value should be the first certificate
         in the chain.
-      example: ["MII...", "MII..."]
+      example: "[\"MII...\", \"MII...\"]"
       normalize:
         - array
 
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index 5f62b2daac..5f15d459fe 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -169,6 +169,7 @@ def field_assertions_and_warnings(field):
     if not ecs_helpers.is_intermediate(field):
         # check short description length if in strict mode
         single_line_short_description(field, strict=strict_mode)
+        check_example_value(field, strict=strict_mode)
         if field['field_details']['level'] not in ACCEPTABLE_FIELD_LEVELS:
             msg = "Invalid level for field '{}'.\nValue: {}\nAcceptable values: {}".format(
                 field['field_details']['name'], field['field_details']['level'],
@@ -193,3 +194,18 @@ def single_line_short_description(schema_or_field, strict=True):
             raise ValueError(msg)
         else:
             ecs_helpers.strict_warning(msg)
+
+
+def check_example_value(field, strict=True):
+    """
+    Checks if value of the example field is of type list or dict.
+    Fails or warns (depending on strict mode) if so.
+    """
+    example_value = field['field_details'].get('example', None)
+    if isinstance(example_value, (list, dict)):
+        name = field['field_details']['name']
+        msg = f"Example value for field `{name}` contains an object or array which must be quoted to avoid YAML interpretation."
+        if strict:
+            raise ValueError(msg)
+        else:
+            ecs_helpers.strict_warning(msg)
diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py
index 4c20fac01f..8298a32bb3 100644
--- a/scripts/tests/unit/test_schema_cleaner.py
+++ b/scripts/tests/unit/test_schema_cleaner.py
@@ -282,6 +282,64 @@ def test_multiline_short_description_warns_strict_disabled(self):
         except Exception:
             self.fail("cleaner.single_line_short_description() raised Exception unexpectedly.")
 
+    def test_field_example_value_is_object_raises(self):
+        field = {
+            'field_details': {
+                'name': 'test',
+                'example': {
+                    'a': 'bob',
+                    'b': 'alice'
+                }
+            }
+        }
+        with self.assertRaisesRegex(ValueError, 'contains an object or array'):
+            cleaner.check_example_value(field)
+
+    def test_field_example_value_is_array_raises(self):
+        field = {
+            'field_details': {
+                'name': 'test',
+                'example': [
+                    'bob',
+                    'alice'
+                ]
+            }
+        }
+        with self.assertRaisesRegex(ValueError, 'contains an object or array'):
+            cleaner.check_example_value(field)
+
+    def test_example_field_value_is_object_warns_strict_disabled(self):
+        field = {
+            'field_details': {
+                'name': 'test',
+                'example': {
+                    'a': 'bob',
+                    'b': 'alice'
+                }
+            }
+        }
+        try:
+            with self.assertWarnsRegex(UserWarning, 'contains an object or array'):
+                cleaner.check_example_value(field, strict=False)
+        except Exception:
+            self.fail("cleaner.check_example_value() raised Exception unexpectedly.")
+
+    def test_example_field_value_is_array_warns_strict_disabled(self):
+        field = {
+            'field_details': {
+                'name': 'test',
+                'example': [
+                    'bob',
+                    'alice'
+                ]
+            }
+        }
+        try:
+            with self.assertWarnsRegex(UserWarning, 'contains an object or array'):
+                cleaner.check_example_value(field, strict=False)
+        except Exception:
+            self.fail("cleaner.check_example_value() raised Exception unexpectedly.")
+
     def test_clean(self):
         '''A high level sanity test'''
         fields = self.schema_process()

From 7633cb0c8f0f81f84c2b5f0e41f93cd1713d6c66 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 23 Sep 2020 17:04:46 -0500
Subject: [PATCH 13/90] [1.x] Add event category configuration (#963) (#977)

---
 CHANGELOG.next.md            |  1 +
 docs/field-details.asciidoc  |  2 +-
 docs/field-values.asciidoc   | 15 +++++++++++++++
 generated/ecs/ecs_flat.yml   | 13 +++++++++++++
 generated/ecs/ecs_nested.yml | 13 +++++++++++++
 schemas/event.yml            | 13 +++++++++++++
 6 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index d366755da5..4242d8e467 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -20,6 +20,7 @@ Thanks, you're awesome :-) -->
 
 * Added Mime Type fields to HTTP request and response. #944
 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
+* Added `configuration` as an allowed `event.category`. #963
 
 #### Improvements
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 2f06d7194d..773c61cce0 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -1546,7 +1546,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web
+authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 4e4bb8a61e..1ef4b8e072 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -133,6 +133,7 @@ that will require subsequent breaking changes.
 *Allowed Values*
 
 * <<ecs-event-category-authentication,authentication>>
+* <<ecs-event-category-configuration,configuration>>
 * <<ecs-event-category-database,database>>
 * <<ecs-event-category-driver,driver>>
 * <<ecs-event-category-file,file>>
@@ -157,6 +158,20 @@ Events in this category are related to the challenge and response process in whi
 start, end, info
 
 
+[float]
+[[ecs-event-category-configuration]]
+==== configuration
+
+Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.
+
+Example sources include security policy change logs, configuration auditing logging, and system integrity monitoring.
+
+
+*Expected event types for category configuration:*
+
+access, change, creation, deletion, info
+
+
 [float]
 [[ecs-event-category-database]]
 ==== database
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 43a72942f3..64540cebfe 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1651,6 +1651,19 @@ event.category:
     - end
     - info
     name: authentication
+  - description: 'Events in the configuration category have to deal with creating,
+      modifying, or deleting the settings or parameters of an application, process,
+      or system.
+
+      Example sources include security policy change logs, configuration auditing
+      logging, and system integrity monitoring.'
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    - info
+    name: configuration
   - description: The database category denotes events and metrics relating to a data
       storage and retrieval system. Note that use of this category is not limited
       to relational database systems. Examples include event logs from MS SQL, MySQL,
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index c56839e37b..ee213ac0c8 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2044,6 +2044,19 @@ event:
         - end
         - info
         name: authentication
+      - description: 'Events in the configuration category have to deal with creating,
+          modifying, or deleting the settings or parameters of an application, process,
+          or system.
+
+          Example sources include security policy change logs, configuration auditing
+          logging, and system integrity monitoring.'
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        - info
+        name: configuration
       - description: The database category denotes events and metrics relating to
           a data storage and retrieval system. Note that use of this category is not
           limited to relational database systems. Examples include event logs from
diff --git a/schemas/event.yml b/schemas/event.yml
index 74e99b99fe..6778790784 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -141,6 +141,19 @@
             - start
             - end
             - info
+        - name: configuration
+          description: >
+            Events in the configuration category have to deal with creating, modifying, or
+            deleting the settings or parameters of an application, process, or system.
+
+            Example sources include security policy change logs, configuration auditing logging,
+            and system integrity monitoring.
+          expected_event_types:
+            - access
+            - change
+            - creation
+            - deletion
+            - info
         - name: database
           description: >
             The database category denotes events and metrics relating to a data storage

From 5b353fe4460f6a8b3ef30dc04e51dcb85561a839 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 24 Sep 2020 17:33:31 -0500
Subject: [PATCH 14/90] [1.x] Add normalizer multi-field capability (#971)
 (#978)

Co-authored-by: Eric Beahan <ebeahan@gmail.com>

Co-authored-by: Madison Caldwell <madison.rey.caldwell@gmail.com>
---
 CHANGELOG.next.md                 | 1 +
 scripts/generators/beats.py       | 2 +-
 scripts/generators/es_template.py | 7 +++++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 4242d8e467..406fce958c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -40,6 +40,7 @@ Thanks, you're awesome :-) -->
 
 * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
 * Added check under `--strict` that ensures composite types in example fields are quoted. #966
+* Added `ignore_above` and `normalizer` support for keyword multi-fields. #971
 
 #### Improvements
 
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index f77729732d..f305261407 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -35,7 +35,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix):
                     'ignore_above', 'multi_fields', 'format', 'input_format',
                     'output_format', 'output_precision', 'description',
                     'example', 'enabled', 'index']
-    multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field']
+    multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field', 'normalizer', 'ignore_above']
 
     fields = []
     for nested_field_name in source_fields:
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 536e8d3315..5bf264a784 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -63,8 +63,11 @@ def entry_for(field):
         if 'multi_fields' in field:
             field_entry['fields'] = {}
             for mf in field['multi_fields']:
-                mf_entry = {'type': mf['type']}
-                if mf['type'] == 'text':
+                mf_type = mf['type']
+                mf_entry = {'type': mf_type}
+                if mf_type == 'keyword':
+                    ecs_helpers.dict_copy_existing_keys(mf, mf_entry, ['normalizer', 'ignore_above'])
+                elif mf_type == 'text':
                     ecs_helpers.dict_copy_existing_keys(mf, mf_entry, ['norms'])
                 field_entry['fields'][mf['name']] = mf_entry
 

From c5ccecc21917a793a27ddcbb3f4eb91397ca86b2 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 29 Sep 2020 12:59:43 -0500
Subject: [PATCH 15/90] [1.x] Add mapping network event guidance doc (#969)
 (#983)

---
 CHANGELOG.next.md                          |   1 +
 docs/additional.asciidoc                   |   1 +
 docs/using-mapping-network-events.asciidoc | 267 +++++++++++++++++++++
 docs/using.asciidoc                        |   6 +-
 4 files changed, 274 insertions(+), 1 deletion(-)
 create mode 100644 docs/using-mapping-network-events.asciidoc

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 406fce958c..b3b73b8bda 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -25,6 +25,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Expanded field set definitions for `source.*` and `destination.*`. #967
+* Provided better guidance for mapping network events. #969
 
 #### Deprecated
 
diff --git a/docs/additional.asciidoc b/docs/additional.asciidoc
index d42bcfbeec..a39747cac8 100644
--- a/docs/additional.asciidoc
+++ b/docs/additional.asciidoc
@@ -2,6 +2,7 @@
 == Additional Information
 
 * <<ecs-faq>>
+* <<ecs-mapping-network-events>>
 * <<ecs-glossary>>
 * <<ecs-contributing>>
 
diff --git a/docs/using-mapping-network-events.asciidoc b/docs/using-mapping-network-events.asciidoc
new file mode 100644
index 0000000000..90986f6a2f
--- /dev/null
+++ b/docs/using-mapping-network-events.asciidoc
@@ -0,0 +1,267 @@
+[[ecs-mapping-network-events]]
+=== Mapping Network Events
+
+Network events capture the details of one device communicating with another. The initiator is referred to as the source, and the recipient as the destination. Depending on the data source, a network event can contain details of addresses, protocols, headers, and device roles.
+
+This guide describes the different field sets available for network-related events in ECS and provides direction on the ECS best practices for mapping to them.
+
+[float]
+==== Source and destination baseline
+
+When an event contains details about the sending and receiving hosts, the baseline for capturing these values will be the <<ecs-source,source>> and <<ecs-destination,destination>> fields.
+
+Some events may also indicate each host's role in the exchange: client or server. When this information is available, the <<ecs-client,client>> and <<ecs-server,server>> fields should be used _in addition to_ the `source` and `destination` fields. The fields and values mapped under `source`/`destination` should be copied under `client`/`server`.
+
+[float]
+==== Network event mapping example
+
+Below is a DNS network event. The source device (`192.168.86.222`) makes a DNS query, acting as the client and the DNS server is the destination (`192.168.86.1`).
+
+Note this event contains additional details that would populate additional fields (such as the <<ecs-dns>>) if this was a complete mapping example. These additional fields are omitted here to focus on the network details.
+
+[source,json]
+----
+{
+  "ts":1599775747.53056,
+  "uid":"CYqFPH3nOAa0kPxA0d",
+  "id.orig_h":"192.168.86.222",
+  "id.orig_p":54162,
+  "id.resp_h":"192.168.86.1",
+  "id.resp_p":53,
+  "proto":"udp",
+  "trans_id":28899,
+  "rtt":0.02272200584411621,
+  "query":"example.com",
+  "qclass":1,
+  "qclass_name":"C_INTERNET",
+  "qtype":1,
+  "qtype_name":"A",
+  "rcode":0,
+  "rcode_name":"NOERROR",
+  "AA":false,
+  "TC":false,
+  "RD":true,
+  "RA":true,
+  "Z":0,
+  "answers":["93.184.216.34"],
+  "TTLs":[21209.0],
+  "rejected":false
+}
+----
+
+[float]
+==== Source and destination fields
+
+First, the `source.*` and `destination.*` field sets are populated:
+
+[source,json]
+----
+  "source": {
+    "ip": "192.168.86.222",
+    "port": 54162
+  }
+----
+
+[source,json]
+----
+  "destination": {
+    "ip": "192.168.86.1",
+    "port": 53
+  }
+----
+
+[float]
+==== Client and server fields
+
+Looking back at the original event, it shows the source device is the DNS client and the destination device is the DNS server. The values mapped under `source` and `destination` are copied and mapped under `client` and `server`, respectively:
+
+[source,json]
+----
+  "client": {
+    "ip": "192.168.86.222",
+    "port": 64734
+  }
+----
+
+[source,json]
+----
+  "server": {
+    "ip": "192.168.86.1",
+    "port": 53
+  }
+----
+
+Mapping both pairs of field sets gives query visibility of the same network transaction in two ways.
+
+* `source.ip:192.168.86.222` returns all events sourced from `192.168.86.222`, regardless its role in a transaction
+* `client.ip:192.168.86.222` returns all events with host `192.168.86.222` acting as a client
+
+The same applies for the `destination` and `server` fields:
+
+* `destination.ip:192.168.86.1` returns all events destined to `192.168.86.1`
+* `server.ip:192.168.86.1` returns all events with `192.168.86.1` acting as the server
+
+It's important to note that while the values for the `source` and `destination` fields may reverse between events in a single network transaction, the values for `client` and `server` typically will not. The following two tables demonstrate how two DNS transactions involving two clients and one server would map to `source.ip`/`destination.ip` vs. `client.ip`/`server.ip`:
+
+[options="header"]
+.Source/Destination
+|=====
+| source.ip | destination.ip | event
+
+// ===============================================================
+
+| 192.168.86.222
+| 192.168.86.1
+| DNS query request 1
+
+// ===============================================================
+
+| 192.168.86.1
+| 192.168.86.222
+| DNS answer response 1
+
+// ===============================================================
+
+| 192.168.86.42
+| 192.168.86.1
+| DNS answer request 2
+
+// ===============================================================
+
+| 192.168.86.1
+| 192.168.86.42
+| DNS answer request 2
+
+|=====
+
+[options="header"]
+.Client/Server
+|=====
+| client.ip | server.ip | event
+
+// ===============================================================
+
+| 192.168.86.222
+| 192.168.86.1
+| DNS query request 1
+
+// ===============================================================
+
+| 192.168.86.222
+| 192.168.86.1
+| DNS answer response 1
+
+// ===============================================================
+
+| 192.168.86.42
+| 192.168.86.1
+| DNS query request 2
+
+// ===============================================================
+
+| 192.168.86.42
+| 192.168.86.1
+| DNS answer response 2
+
+|=====
+
+[float]
+==== Related fields
+
+The `related.ip` field captures all the IPs present in the event in a single array:
+
+[source,json]
+----
+  "related": {
+    "ip": [
+      "192.168.86.222",
+      "192.168.86.1",
+      "93.184.216.34"
+    ]
+  }
+----
+
+The <<ecs-related,related fields>> are meant to facilitate pivoting. Since these IP addresses can appear in many different fields (`source.ip`, `destination.ip`, `client.ip`, `server.ip`, etc.), you can search for the IP trivially no matter what field it appears using a single query, e.g. `related.ip:192.168.86.222`.
+
+Network events are not only limited to using `related.ip`. If hostnames or other host identifiers were present in the event, `related.hosts` should be populated too.
+
+[float]
+==== Categorization using event fields
+
+When considering the <<ecs-category-field-values-reference, event categorization fields>>, the `category` and `type` fields are populated using their respective allowed values which best classify the source network event.
+
+[source,json]
+----
+  "event": {
+    "category": [
+      "network"
+    ],
+    "type": [
+      "connection",
+      "protocol"
+    ],
+    "kind": "event"
+  }
+----
+
+Most <<ecs-allowed-values-event-category,event.category>>/<<ecs-allowed-values-event-type,event.type>> ECS pairings are complete on their own. However, the pairing of `event.category:network` and `event.type:protocol` is an exception. When these two fields/value pairs both used to categorize an event, the `network.protocol` field should also be populated:
+
+[source,json]
+----
+  "network": {
+    "protocol": "dns",
+    "type": "ipv4",
+    "transport": "udp"
+  }
+----
+
+[float]
+==== Result
+
+Putting everything together covered so far, we have a final ECS-mapped event:
+
+[source,json]
+----
+{
+  "event": {
+    "category": [
+      "network"
+    ],
+    "type": [
+      "connection",
+      "protocol"
+    ],
+    "kind": "event"
+  },
+  "network": {
+    "protocol": "dns",
+    "type": "ipv4",
+    "transport": "udp"
+  },
+  "source": {
+    "ip": "192.168.86.222",
+    "port": 54162
+  },
+  "destination": {
+    "ip": "192.168.86.1",
+    "port": 53
+  },
+  "client": {
+    "ip": "192.168.86.222",
+    "port": 64734
+  },
+  "server": {
+    "ip": "192.168.86.1",
+    "port": 53
+  },
+  "related": {
+    "ip": [
+      "192.168.86.222",
+      "192.168.86.1",
+      "93.184.216.34"
+    ]
+  },
+  "dns": { ... }, <= Again, not diving into the DNS fields here but included for completeness.
+  "zeek": { "ts":1599775747.53056, ... } <= Original fields can optionally be kept around as custom fields.
+}
+----
diff --git a/docs/using.asciidoc b/docs/using.asciidoc
index fbce72bb27..e5d2358289 100644
--- a/docs/using.asciidoc
+++ b/docs/using.asciidoc
@@ -8,13 +8,17 @@ If you're new to ECS and would like an introduction on implementing and using
 the schema, check out the <<ecs-getting-started>> guide.
 
 Whether you're trying to recall a field name, implementing a solution that
-follows ECS, or proposing a change to  the schema, the <<ecs-guidelines>> and
+follows ECS, or proposing a change to the schema, the <<ecs-guidelines>> and
 <<ecs-conventions>> will help get you there.
 
 If you're wondering how to best capture event details that don't map to existing
 ECS fields, head over to <<ecs-custom-fields-in-ecs>>.
 
+<<ecs-mapping-network-events, Mapping network events>> provides a detailed walk-through of how to best map and
+categorize an example network event to the schema.
+
 include::using-getting-started.asciidoc[][]
 include::using-guidelines.asciidoc[]
 include::using-conventions.asciidoc[]
 include::using-custom-fields.asciidoc[]
+include::using-mapping-network-events.asciidoc[]

From 7897203355576fdd2495207d0a6165b3194f5121 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 29 Sep 2020 13:10:25 -0500
Subject: [PATCH 16/90] [1.x] Removing unneeded link under `Additional
 Information` (#984) (#985)

---
 docs/additional.asciidoc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/additional.asciidoc b/docs/additional.asciidoc
index a39747cac8..d42bcfbeec 100644
--- a/docs/additional.asciidoc
+++ b/docs/additional.asciidoc
@@ -2,7 +2,6 @@
 == Additional Information
 
 * <<ecs-faq>>
-* <<ecs-mapping-network-events>>
 * <<ecs-glossary>>
 * <<ecs-contributing>>
 

From 23abff61d0a81665abfe985374d29aa1e6b15574 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 30 Sep 2020 16:25:56 -0500
Subject: [PATCH 17/90] [1.x] Add discrete attribute to field details page
 headers (#989) (#990)

---
 CHANGELOG.next.md                  |  1 +
 docs/field-details.asciidoc        | 79 ++++++++++++++++++++++++++++++
 scripts/templates/field_details.j2 |  3 ++
 3 files changed, 83 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index b3b73b8bda..54ae430335 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -46,6 +46,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Field details Jinja2 template components have been consolidated into one template #897
+* Add `[discrete]` marker before each section header in field details. #989
 
 #### Deprecated
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 773c61cce0..d13a5896c5 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -3,6 +3,7 @@
 
 The `base` field set contains all fields which are at the root of the events. These fields are common across all types of events.
 
+[discrete]
 ==== Base Field Details
 
 [options="header"]
@@ -89,6 +90,7 @@ The agent fields contain the data about the software entity, if any, that collec
 
 Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
 
+[discrete]
 ==== Agent Field Details
 
 [options="header"]
@@ -194,6 +196,7 @@ example: `6.0.0-rc2`
 
 An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
 
+[discrete]
 ==== Autonomous System Field Details
 
 [options="header"]
@@ -236,6 +239,7 @@ example: `Google LLC`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `as` fields are expected to be nested at: `client.as`, `destination.as`, `server.as`, `source.as`.
@@ -254,6 +258,7 @@ For TCP events, the client is the initiator of the TCP connection that sends the
 
 Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
 
+[discrete]
 ==== Client Field Details
 
 [options="header"]
@@ -419,12 +424,14 @@ example: `co.uk`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-client-nestings]]
+[discrete]
 ===== Field sets that can be nested under Client
 
 [options="header"]
@@ -459,6 +466,7 @@ example: `co.uk`
 
 Fields related to the cloud or infrastructure the events are coming from.
 
+[discrete]
 ==== Cloud Field Details
 
 [options="header"]
@@ -612,6 +620,7 @@ example: `us-east-1`
 
 These fields contain information about binary code signatures.
 
+[discrete]
 ==== Code Signature Field Details
 
 [options="header"]
@@ -693,6 +702,7 @@ example: `true`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `code_signature` fields are expected to be nested at: `dll.code_signature`, `file.code_signature`, `process.code_signature`.
@@ -709,6 +719,7 @@ Container fields are used for meta information about the specific container that
 
 These fields help correlate data based containers from any runtime.
 
+[discrete]
 ==== Container Field Details
 
 [options="header"]
@@ -807,6 +818,7 @@ Destination fields capture details about the receiver of a network exchange/pack
 
 Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
 
+[discrete]
 ==== Destination Field Details
 
 [options="header"]
@@ -972,12 +984,14 @@ example: `co.uk`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-destination-nestings]]
+[discrete]
 ===== Field sets that can be nested under Destination
 
 [options="header"]
@@ -1022,6 +1036,7 @@ Many operating systems refer to "shared code libraries" with different names, bu
 
 * Dynamic library (`.dylib`) commonly used on macOS
 
+[discrete]
 ==== DLL Field Details
 
 [options="header"]
@@ -1060,12 +1075,14 @@ example: `C:\Windows\System32\kernel32.dll`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-dll-nestings]]
+[discrete]
 ===== Field sets that can be nested under DLL
 
 [options="header"]
@@ -1102,6 +1119,7 @@ Fields describing DNS queries and answers.
 
 DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
 
+[discrete]
 ==== DNS Field Details
 
 [options="header"]
@@ -1386,6 +1404,7 @@ example: `answer`
 
 Meta-information specific to ECS.
 
+[discrete]
 ==== ECS Field Details
 
 [options="header"]
@@ -1418,6 +1437,7 @@ These fields can represent errors of any kind.
 
 Use them for errors that happen while fetching events or in cases where the event itself contains an error.
 
+[discrete]
 ==== Error Field Details
 
 [options="header"]
@@ -1506,6 +1526,7 @@ The event fields are used for context information about the log or metric event
 
 A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
 
+[discrete]
 ==== Event Field Details
 
 [options="header"]
@@ -1944,6 +1965,7 @@ A file is defined as a set of information that has been created on, or has exist
 
 File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
 
+[discrete]
 ==== File Field Details
 
 [options="header"]
@@ -2254,12 +2276,14 @@ example: `1001`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-file-nestings]]
+[discrete]
 ===== Field sets that can be nested under File
 
 [options="header"]
@@ -2302,6 +2326,7 @@ Geo fields can carry data about a specific location related to an event.
 
 This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
 
+[discrete]
 ==== Geo Field Details
 
 [options="header"]
@@ -2420,6 +2445,7 @@ example: `Quebec`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `geo` fields are expected to be nested at: `client.geo`, `destination.geo`, `host.geo`, `observer.geo`, `server.geo`, `source.geo`.
@@ -2434,6 +2460,7 @@ Note also that the `geo` fields are not expected to be used directly at the root
 
 The group fields are meant to represent groups that are relevant to the event.
 
+[discrete]
 ==== Group Field Details
 
 [options="header"]
@@ -2485,6 +2512,7 @@ type: keyword
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `group` fields are expected to be nested at: `user.group`.
@@ -2501,6 +2529,7 @@ The hash fields represent different hash algorithms and their values.
 
 Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
 
+[discrete]
 ==== Hash Field Details
 
 [options="header"]
@@ -2563,6 +2592,7 @@ type: keyword
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `hash` fields are expected to be nested at: `dll.hash`, `file.hash`, `process.hash`.
@@ -2579,6 +2609,7 @@ A host is defined as a general computing instance.
 
 ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
 
+[discrete]
 ==== Host Field Details
 
 [options="header"]
@@ -2724,12 +2755,14 @@ example: `1325`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-host-nestings]]
+[discrete]
 ===== Field sets that can be nested under Host
 
 [options="header"]
@@ -2764,6 +2797,7 @@ example: `1325`
 
 Fields related to HTTP activity. Use the `url` field set to store the url of the request.
 
+[discrete]
 ==== HTTP Field Details
 
 [options="header"]
@@ -2957,6 +2991,7 @@ example: `1.1`
 
 The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
 
+[discrete]
 ==== Interface Field Details
 
 [options="header"]
@@ -3006,6 +3041,7 @@ example: `eth0`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `interface` fields are expected to be nested at: `observer.egress.interface`, `observer.ingress.interface`.
@@ -3024,6 +3060,7 @@ The log.* fields are typically populated with details about the logging mechanis
 
 The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
 
+[discrete]
 ==== Log Field Details
 
 [options="header"]
@@ -3230,6 +3267,7 @@ The network is defined as the communication path over which a host or network ev
 
 The network.* fields should be populated with details about the network activity associated with an event.
 
+[discrete]
 ==== Network Field Details
 
 [options="header"]
@@ -3428,12 +3466,14 @@ example: `ipv4`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-network-nestings]]
+[discrete]
 ===== Field sets that can be nested under Network
 
 [options="header"]
@@ -3464,6 +3504,7 @@ An observer is defined as a special network, security, or application device use
 
 This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
 
+[discrete]
 ==== Observer Field Details
 
 [options="header"]
@@ -3655,12 +3696,14 @@ type: keyword
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-observer-nestings]]
+[discrete]
 ===== Field sets that can be nested under Observer
 
 [options="header"]
@@ -3715,6 +3758,7 @@ The organization fields enrich data with information about the company or entity
 
 These fields help you arrange or filter data stored in an index by one or multiple organizations.
 
+[discrete]
 ==== Organization Field Details
 
 [options="header"]
@@ -3762,6 +3806,7 @@ Multi-fields:
 
 The OS fields contain information about the operating system.
 
+[discrete]
 ==== Operating System Field Details
 
 [options="header"]
@@ -3862,6 +3907,7 @@ example: `10.14.1`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `os` fields are expected to be nested at: `host.os`, `observer.os`, `user_agent.os`.
@@ -3876,6 +3922,7 @@ Note also that the `os` fields are not expected to be used directly at the root
 
 These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
 
+[discrete]
 ==== Package Field Details
 
 [options="header"]
@@ -4066,6 +4113,7 @@ example: `1.12.9`
 
 These fields contain Windows Portable Executable (PE) metadata.
 
+[discrete]
 ==== PE Header Field Details
 
 [options="header"]
@@ -4169,6 +4217,7 @@ example: `Microsoft® Windows® Operating System`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `pe` fields are expected to be nested at: `dll.pe`, `file.pe`, `process.pe`.
@@ -4185,6 +4234,7 @@ These fields contain information about a process.
 
 These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
 
+[discrete]
 ==== Process Field Details
 
 [options="header"]
@@ -4452,6 +4502,7 @@ example: `/home/alice`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `process` fields are expected to be nested at: `process.parent`.
@@ -4462,6 +4513,7 @@ Note also that the `process` fields may be used directly at the root of the even
 
 
 [[ecs-process-nestings]]
+[discrete]
 ===== Field sets that can be nested under Process
 
 [options="header"]
@@ -4502,6 +4554,7 @@ Note also that the `process` fields may be used directly at the root of the even
 
 Fields related to Windows Registry operations.
 
+[discrete]
 ==== Registry Field Details
 
 [options="header"]
@@ -4619,6 +4672,7 @@ Some pieces of information can be seen in many places in an ECS event. To facili
 
 A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
 
+[discrete]
 ==== Related Field Details
 
 [options="header"]
@@ -4700,6 +4754,7 @@ Rule fields are used to capture the specifics of any observer or agent rules tha
 
 Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
 
+[discrete]
 ==== Rule Field Details
 
 [options="header"]
@@ -4854,6 +4909,7 @@ For TCP events, the server is the receiver of the initial SYN packet(s) of the T
 
 Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
 
+[discrete]
 ==== Server Field Details
 
 [options="header"]
@@ -5019,12 +5075,14 @@ example: `co.uk`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-server-nestings]]
+[discrete]
 ===== Field sets that can be nested under Server
 
 [options="header"]
@@ -5061,6 +5119,7 @@ The service fields describe the service for or from which the data was collected
 
 These fields help you find and correlate logs for a specific service and version.
 
+[discrete]
 ==== Service Field Details
 
 [options="header"]
@@ -5189,6 +5248,7 @@ Source fields capture details about the sender of a network exchange/packet. The
 
 Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
 
+[discrete]
 ==== Source Field Details
 
 [options="header"]
@@ -5354,12 +5414,14 @@ example: `co.uk`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-source-nestings]]
+[discrete]
 ===== Field sets that can be nested under Source
 
 [options="header"]
@@ -5396,6 +5458,7 @@ Fields to classify events and alerts according to a threat taxonomy such as the
 
 These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
 
+[discrete]
 ==== Threat Field Details
 
 [options="header"]
@@ -5580,6 +5643,7 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
 
+[discrete]
 ==== TLS Field Details
 
 [options="header"]
@@ -5976,12 +6040,14 @@ example: `tls`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-tls-nestings]]
+[discrete]
 ===== Field sets that can be nested under TLS
 
 [options="header"]
@@ -6010,6 +6076,7 @@ example: `tls`
 
 Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.
 
+[discrete]
 ==== Tracing Field Details
 
 [options="header"]
@@ -6070,6 +6137,7 @@ example: `00f067aa0ba902b7`
 
 URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
 
+[discrete]
 ==== URL Field Details
 
 [options="header"]
@@ -6290,6 +6358,7 @@ The user fields describe information about the user that is relevant to the even
 
 Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
 
+[discrete]
 ==== User Field Details
 
 [options="header"]
@@ -6410,6 +6479,7 @@ example: `["kibana_admin", "reporting_user"]`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`.
@@ -6420,6 +6490,7 @@ Note also that the `user` fields may be used directly at the root of the events.
 
 
 [[ecs-user-nestings]]
+[discrete]
 ===== Field sets that can be nested under User
 
 [options="header"]
@@ -6444,6 +6515,7 @@ The user_agent fields normally come from a browser request.
 
 They often show up in web service logs coming from the parsed user agent string.
 
+[discrete]
 ==== User agent Field Details
 
 [options="header"]
@@ -6512,12 +6584,14 @@ example: `12.0`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 
 
 
 [[ecs-user_agent-nestings]]
+[discrete]
 ===== Field sets that can be nested under User agent
 
 [options="header"]
@@ -6546,6 +6620,7 @@ Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
 
 Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
 
+[discrete]
 ==== VLAN Field Details
 
 [options="header"]
@@ -6582,6 +6657,7 @@ example: `outside`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `vlan` fields are expected to be nested at: `network.inner.vlan`, `network.vlan`, `observer.egress.vlan`, `observer.ingress.vlan`.
@@ -6596,6 +6672,7 @@ Note also that the `vlan` fields are not expected to be used directly at the roo
 
 The vulnerability fields describe information about a vulnerability that is relevant to an event.
 
+[discrete]
 ==== Vulnerability Field Details
 
 [options="header"]
@@ -6799,6 +6876,7 @@ example: `Critical`
 
 This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`).
 
+[discrete]
 ==== x509 Certificate Field Details
 
 [options="header"]
@@ -7160,6 +7238,7 @@ example: `3`
 
 |=====
 
+[discrete]
 ==== Field Reuse
 
 The `x509` fields are expected to be nested at: `file.x509`, `tls.client.x509`, `tls.server.x509`.
diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2
index 0b1bb6e224..1ceedf55e0 100644
--- a/scripts/templates/field_details.j2
+++ b/scripts/templates/field_details.j2
@@ -5,6 +5,7 @@
 {{ fieldset['description']|replace("\n", "\n\n") }}
 
 {# Field Details Table Header -#}
+[discrete]
 ==== {{ fieldset['title'] }} Field Details
 
 [options="header"]
@@ -67,6 +68,7 @@ example: `{{ field['example'] }}`
 {# do we have `nestings` or `reusable` sections to worry about? -#}
 {% if 'nestings' in fieldset or 'reusable' in fieldset -%}
 
+[discrete]
 ==== Field Reuse
 
 {% if 'reusable' in fieldset -%}
@@ -88,6 +90,7 @@ Note also that the `{{ fieldset['name'] }}` fields are not expected to be used d
 {% if 'nestings' in fieldset -%}
 
 [[ecs-{{ fieldset['name'] }}-nestings]]
+[discrete]
 ===== Field sets that can be nested under {{ fieldset['title'] }}
 
 [options="header"]

From e086abbfb095b9531aadab6066c5089c991d97ad Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 2 Oct 2020 15:04:45 -0500
Subject: [PATCH 18/90] [1.x] Uniformity across domain name breakdown fields
 (#981) (#994)

Co-authored-by: Mathieu Martin <webmat@gmail.com>
---
 CHANGELOG.next.md                       |  1 +
 code/go/ecs/client.go                   | 11 +++
 code/go/ecs/destination.go              | 11 +++
 code/go/ecs/server.go                   | 11 +++
 code/go/ecs/source.go                   | 11 +++
 code/go/ecs/url.go                      | 11 +++
 docs/field-details.asciidoc             | 75 +++++++++++++++++++++
 generated/beats/fields.ecs.yml          | 70 +++++++++++++++++++
 generated/csv/fields.csv                |  5 ++
 generated/ecs/ecs_flat.yml              | 90 +++++++++++++++++++++++++
 generated/ecs/ecs_nested.yml            | 90 +++++++++++++++++++++++++
 generated/elasticsearch/6/template.json | 20 ++++++
 generated/elasticsearch/7/template.json | 20 ++++++
 schemas/client.yml                      | 15 +++++
 schemas/destination.yml                 | 15 +++++
 schemas/server.yml                      | 15 +++++
 schemas/source.yml                      | 15 +++++
 schemas/url.yml                         | 15 +++++
 18 files changed, 501 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 54ae430335..6d9738be17 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -26,6 +26,7 @@ Thanks, you're awesome :-) -->
 
 * Expanded field set definitions for `source.*` and `destination.*`. #967
 * Provided better guidance for mapping network events. #969
+* Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981
 
 #### Deprecated
 
diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go
index 2e11982755..9c6336d4bf 100644
--- a/code/go/ecs/client.go
+++ b/code/go/ecs/client.go
@@ -70,6 +70,17 @@ type Client struct {
 	// as "co.uk".
 	TopLevelDomain string `ecs:"top_level_domain"`
 
+	// The subdomain portion of a fully qualified domain name includes all of
+	// the names except the host name under the registered_domain.  In a
+	// partially qualified domain, or if the the qualification level of the
+	// full name cannot be determined, subdomain contains all of the names
+	// below the registered domain.
+	// For example the subdomain portion of "www.east.mydomain.co.uk" is
+	// "east". If the domain has multiple levels of subdomain, such as
+	// "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
+	// with no trailing period.
+	Subdomain string `ecs:"subdomain"`
+
 	// Bytes sent from the client to the server.
 	Bytes int64 `ecs:"bytes"`
 
diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go
index e3417e5bb9..1985e8720b 100644
--- a/code/go/ecs/destination.go
+++ b/code/go/ecs/destination.go
@@ -66,6 +66,17 @@ type Destination struct {
 	// as "co.uk".
 	TopLevelDomain string `ecs:"top_level_domain"`
 
+	// The subdomain portion of a fully qualified domain name includes all of
+	// the names except the host name under the registered_domain.  In a
+	// partially qualified domain, or if the the qualification level of the
+	// full name cannot be determined, subdomain contains all of the names
+	// below the registered domain.
+	// For example the subdomain portion of "www.east.mydomain.co.uk" is
+	// "east". If the domain has multiple levels of subdomain, such as
+	// "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
+	// with no trailing period.
+	Subdomain string `ecs:"subdomain"`
+
 	// Bytes sent from the destination to the source.
 	Bytes int64 `ecs:"bytes"`
 
diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go
index 74253bbb72..bc395a115c 100644
--- a/code/go/ecs/server.go
+++ b/code/go/ecs/server.go
@@ -70,6 +70,17 @@ type Server struct {
 	// as "co.uk".
 	TopLevelDomain string `ecs:"top_level_domain"`
 
+	// The subdomain portion of a fully qualified domain name includes all of
+	// the names except the host name under the registered_domain.  In a
+	// partially qualified domain, or if the the qualification level of the
+	// full name cannot be determined, subdomain contains all of the names
+	// below the registered domain.
+	// For example the subdomain portion of "www.east.mydomain.co.uk" is
+	// "east". If the domain has multiple levels of subdomain, such as
+	// "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
+	// with no trailing period.
+	Subdomain string `ecs:"subdomain"`
+
 	// Bytes sent from the server to the client.
 	Bytes int64 `ecs:"bytes"`
 
diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go
index f8ab84d581..3e4becbbbd 100644
--- a/code/go/ecs/source.go
+++ b/code/go/ecs/source.go
@@ -66,6 +66,17 @@ type Source struct {
 	// as "co.uk".
 	TopLevelDomain string `ecs:"top_level_domain"`
 
+	// The subdomain portion of a fully qualified domain name includes all of
+	// the names except the host name under the registered_domain.  In a
+	// partially qualified domain, or if the the qualification level of the
+	// full name cannot be determined, subdomain contains all of the names
+	// below the registered domain.
+	// For example the subdomain portion of "www.east.mydomain.co.uk" is
+	// "east". If the domain has multiple levels of subdomain, such as
+	// "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
+	// with no trailing period.
+	Subdomain string `ecs:"subdomain"`
+
 	// Bytes sent from the source to the destination.
 	Bytes int64 `ecs:"bytes"`
 
diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go
index 7afac8f4ba..6c1ac3be75 100644
--- a/code/go/ecs/url.go
+++ b/code/go/ecs/url.go
@@ -62,6 +62,17 @@ type Url struct {
 	// as "co.uk".
 	TopLevelDomain string `ecs:"top_level_domain"`
 
+	// The subdomain portion of a fully qualified domain name includes all of
+	// the names except the host name under the registered_domain.  In a
+	// partially qualified domain, or if the the qualification level of the
+	// full name cannot be determined, subdomain contains all of the names
+	// below the registered domain.
+	// For example the subdomain portion of "www.east.mydomain.co.uk" is
+	// "east". If the domain has multiple levels of subdomain, such as
+	// "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1",
+	// with no trailing period.
+	Subdomain string `ecs:"subdomain"`
+
 	// Port of the request, such as 443.
 	Port int64 `ecs:"port"`
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index d13a5896c5..b716165642 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -407,6 +407,21 @@ example: `example.com`
 
 // ===============================================================
 
+| client.subdomain
+| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+
+For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+
+
+example: `east`
+
+| extended
+
+// ===============================================================
+
 | client.top_level_domain
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
@@ -967,6 +982,21 @@ example: `example.com`
 
 // ===============================================================
 
+| destination.subdomain
+| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+
+For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+
+
+example: `east`
+
+| extended
+
+// ===============================================================
+
 | destination.top_level_domain
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
@@ -5058,6 +5088,21 @@ example: `example.com`
 
 // ===============================================================
 
+| server.subdomain
+| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+
+For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+
+
+example: `east`
+
+| extended
+
+// ===============================================================
+
 | server.top_level_domain
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
@@ -5397,6 +5442,21 @@ example: `example.com`
 
 // ===============================================================
 
+| source.subdomain
+| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+
+For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+
+
+example: `east`
+
+| extended
+
+// ===============================================================
+
 | source.top_level_domain
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
@@ -6321,6 +6381,21 @@ example: `https`
 
 // ===============================================================
 
+| url.subdomain
+| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+
+For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+
+
+example: `east`
+
+| extended
+
+// ===============================================================
+
 | url.top_level_domain
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 573abe8499..150ee1d911 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -302,6 +302,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -709,6 +723,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -4105,6 +4133,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -4427,6 +4469,20 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
@@ -5337,6 +5393,20 @@
 
         Note: The `:` is not part of the scheme.'
       example: https
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
     - name: top_level_domain
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 5b56c77a2a..baa380bfb8 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -30,6 +30,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
 1.7.0-dev,true,client,client.port,long,core,,,Port of the client.
 1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
@@ -80,6 +81,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
 1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
 1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
@@ -478,6 +480,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
 1.7.0-dev,true,server,server.port,long,core,,,Port of the server.
 1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
@@ -519,6 +522,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
 1.7.0-dev,true,source,source.port,long,core,,,Port of the source.
 1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
@@ -637,6 +641,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
 1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
 1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 64540cebfe..a209023534 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -348,6 +348,24 @@ client.registered_domain:
   normalize: []
   short: The highest registered client domain, stripped of the subdomain.
   type: keyword
+client.subdomain:
+  dashed_name: client-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: client.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
 client.top_level_domain:
   dashed_name: client-top-level-domain
   description: 'The effective top level domain (eTLD), also known as the domain suffix,
@@ -925,6 +943,24 @@ destination.registered_domain:
   normalize: []
   short: The highest registered destination domain, stripped of the subdomain.
   type: keyword
+destination.subdomain:
+  dashed_name: destination-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: destination.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
 destination.top_level_domain:
   dashed_name: destination-top-level-domain
   description: 'The effective top level domain (eTLD), also known as the domain suffix,
@@ -6144,6 +6180,24 @@ server.registered_domain:
   normalize: []
   short: The highest registered server domain, stripped of the subdomain.
   type: keyword
+server.subdomain:
+  dashed_name: server-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: server.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
 server.top_level_domain:
   dashed_name: server-top-level-domain
   description: 'The effective top level domain (eTLD), also known as the domain suffix,
@@ -6652,6 +6706,24 @@ source.registered_domain:
   normalize: []
   short: The highest registered source domain, stripped of the subdomain.
   type: keyword
+source.subdomain:
+  dashed_name: source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
 source.top_level_domain:
   dashed_name: source-top-level-domain
   description: 'The effective top level domain (eTLD), also known as the domain suffix,
@@ -8124,6 +8196,24 @@ url.scheme:
   normalize: []
   short: Scheme of the url.
   type: keyword
+url.subdomain:
+  dashed_name: url-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: url.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
 url.top_level_domain:
   dashed_name: url-top-level-domain
   description: 'The effective top level domain (eTLD), also known as the domain suffix,
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index ee213ac0c8..2189a64503 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -494,6 +494,24 @@ client:
       normalize: []
       short: The highest registered client domain, stripped of the subdomain.
       type: keyword
+    client.subdomain:
+      dashed_name: client-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: client.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
     client.top_level_domain:
       dashed_name: client-top-level-domain
       description: 'The effective top level domain (eTLD), also known as the domain
@@ -1213,6 +1231,24 @@ destination:
       normalize: []
       short: The highest registered destination domain, stripped of the subdomain.
       type: keyword
+    destination.subdomain:
+      dashed_name: destination-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: destination.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
     destination.top_level_domain:
       dashed_name: destination-top-level-domain
       description: 'The effective top level domain (eTLD), also known as the domain
@@ -7281,6 +7317,24 @@ server:
       normalize: []
       short: The highest registered server domain, stripped of the subdomain.
       type: keyword
+    server.subdomain:
+      dashed_name: server-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: server.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
     server.top_level_domain:
       dashed_name: server-top-level-domain
       description: 'The effective top level domain (eTLD), also known as the domain
@@ -7833,6 +7887,24 @@ source:
       normalize: []
       short: The highest registered source domain, stripped of the subdomain.
       type: keyword
+    source.subdomain:
+      dashed_name: source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
     source.top_level_domain:
       dashed_name: source-top-level-domain
       description: 'The effective top level domain (eTLD), also known as the domain
@@ -9374,6 +9446,24 @@ url:
       normalize: []
       short: Scheme of the url.
       type: keyword
+    url.subdomain:
+      dashed_name: url-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: url.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
     url.top_level_domain:
       dashed_name: url-top-level-domain
       description: 'The effective top level domain (eTLD), also known as the domain
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index b16d3576ce..493159d4b3 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -151,6 +151,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "top_level_domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -404,6 +408,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "top_level_domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -2254,6 +2262,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "top_level_domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -2452,6 +2464,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "top_level_domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -3013,6 +3029,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "top_level_domain": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 08071d1b91..b63f3af1c7 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -150,6 +150,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "top_level_domain": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -403,6 +407,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "top_level_domain": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -2253,6 +2261,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "top_level_domain": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -2451,6 +2463,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "top_level_domain": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3012,6 +3028,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "top_level_domain": {
             "ignore_above": 1024,
             "type": "keyword"
diff --git a/schemas/client.yml b/schemas/client.yml
index ec6175f692..e63ab70276 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -85,6 +85,21 @@
         simply taking the last label will not work well for effective TLDs such as "co.uk".
       example: co.uk
 
+    - name: subdomain
+      level: extended
+      type: keyword
+      short: The subdomain of the domain.
+      description: >
+        The subdomain portion of a fully qualified domain name includes all of the names except
+        the host name under the registered_domain.  In a partially qualified domain, or if the
+        the qualification level of the full name cannot be determined, subdomain contains all of
+        the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.
+      example: east
+
     # Metrics
     - name: bytes
       format: bytes
diff --git a/schemas/destination.yml b/schemas/destination.yml
index 42d3e154d5..a1e91958f7 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -80,6 +80,21 @@
         simply taking the last label will not work well for effective TLDs such as "co.uk".
       example: co.uk
 
+    - name: subdomain
+      level: extended
+      type: keyword
+      short: The subdomain of the domain.
+      description: >
+        The subdomain portion of a fully qualified domain name includes all of the names except
+        the host name under the registered_domain.  In a partially qualified domain, or if the
+        the qualification level of the full name cannot be determined, subdomain contains all of
+        the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.
+      example: east
+
     # Metrics
     - name: bytes
       format: bytes
diff --git a/schemas/server.yml b/schemas/server.yml
index 19fee450be..867b3bd03c 100644
--- a/schemas/server.yml
+++ b/schemas/server.yml
@@ -85,6 +85,21 @@
         simply taking the last label will not work well for effective TLDs such as "co.uk".
       example: co.uk
 
+    - name: subdomain
+      level: extended
+      type: keyword
+      short: The subdomain of the domain.
+      description: >
+        The subdomain portion of a fully qualified domain name includes all of the names except
+        the host name under the registered_domain.  In a partially qualified domain, or if the
+        the qualification level of the full name cannot be determined, subdomain contains all of
+        the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.
+      example: east
+
     # Metrics
     - name: bytes
       format: bytes
diff --git a/schemas/source.yml b/schemas/source.yml
index 65539b3d60..268b975312 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -80,6 +80,21 @@
         simply taking the last label will not work well for effective TLDs such as "co.uk".
       example: co.uk
 
+    - name: subdomain
+      level: extended
+      type: keyword
+      short: The subdomain of the domain.
+      description: >
+        The subdomain portion of a fully qualified domain name includes all of the names except
+        the host name under the registered_domain.  In a partially qualified domain, or if the
+        the qualification level of the full name cannot be determined, subdomain contains all of
+        the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.
+      example: east
+
     # Metrics
     - name: bytes
       format: bytes
diff --git a/schemas/url.yml b/schemas/url.yml
index 6ae2b572f2..8a523fbc8d 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -88,6 +88,21 @@
         simply taking the last label will not work well for effective TLDs such as "co.uk".
       example: co.uk
 
+    - name: subdomain
+      level: extended
+      type: keyword
+      short: The subdomain of the domain.
+      description: >
+        The subdomain portion of a fully qualified domain name includes all of the names except
+        the host name under the registered_domain.  In a partially qualified domain, or if the
+        the qualification level of the full name cannot be determined, subdomain contains all of
+        the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.
+      example: east
+
     - name: port
       format: string
       level: extended

From b9b1ba50c9400f4195b260dbb4e0253b18c012ee Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Fri, 2 Oct 2020 16:26:38 -0400
Subject: [PATCH 19/90] Add --oss flag to the ECS generator script (#991)
 (#995)

---
 CHANGELOG.next.md                     |  1 +
 USAGE.md                              | 27 ++++++++++++++++++++-
 scripts/generator.py                  | 14 +++++++----
 scripts/schema/oss.py                 | 29 ++++++++++++++++++++++
 scripts/tests/unit/test_schema_oss.py | 35 +++++++++++++++++++++++++++
 5 files changed, 100 insertions(+), 6 deletions(-)
 create mode 100644 scripts/schema/oss.py
 create mode 100644 scripts/tests/unit/test_schema_oss.py

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 6d9738be17..afd179c547 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -43,6 +43,7 @@ Thanks, you're awesome :-) -->
 * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
 * Added check under `--strict` that ensures composite types in example fields are quoted. #966
 * Added `ignore_above` and `normalizer` support for keyword multi-fields. #971
+* Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991
 
 #### Improvements
 
diff --git a/USAGE.md b/USAGE.md
index e70da6b14f..cb0c49bf27 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -29,6 +29,7 @@ relevant artifacts for their unique set of data sources.
     + [Subset](#subset)
     + [Ref](#ref)
     + [Mapping & Template Settings](#mapping--template-settings)
+    + [OSS](#oss)
     + [Strict Mode](#strict-mode)
     + [Intermediate-Only](#intermediate-only)
 
@@ -295,6 +296,30 @@ The `--template-settings` argument defines [index level settings](https://www.el
 
 For `template.json`, the `mappings` object is left empty: `{}`. Likewise the `properties` object remains empty in the `mapping.json` example. This will be filled in automatically by the script.
 
+#### OSS
+
+**IMPORTANT**: This feature is unnecessary for most users. Our default free distribution
+comes with the Elastic Basic license, and supports all data types used by ECS.
+Learn more about our licenses [here](https://www.elastic.co/subscriptions).
+
+Users that want to use the open source version of Elasticsearch do not have access to the basic data types.
+However some of these types have an OSS replacement that can be used instead, without too much loss of functionality.
+
+This flag performs a best effort fallback, replacing basic data types with their OSS replacement.
+
+Indices using purely OSS types will benefit from the normalization of ECS, but may be missing on some of the added functionality of these basic types.
+
+Current fallbacks applied by this flag are:
+
+- `wildcard` => `keyword`
+- `version` => `keyword`
+
+Usage:
+
+```
+$ python scripts/generator.py --oss
+```
+
 #### Strict Mode
 
 The `--strict` argument enables "strict mode". Strict mode performs a stricter validation step against the schema's contents.
@@ -302,7 +327,7 @@ The `--strict` argument enables "strict mode". Strict mode performs a stricter v
 Basic usage:
 
 ```
-$ python/generator.py --strict
+$ python scripts/generator.py --strict
 ```
 
 Strict mode requires the following conditions, else the script exits on an exception:
diff --git a/scripts/generator.py b/scripts/generator.py
index 733f4155fe..b6dcf05db9 100644
--- a/scripts/generator.py
+++ b/scripts/generator.py
@@ -12,6 +12,7 @@
 from generators import intermediate_files
 
 from schema import loader
+from schema import oss
 from schema import cleaner
 from schema import finalizer
 from schema import subset_filter
@@ -41,6 +42,8 @@ def main():
     # ecs_helpers.yaml_dump('ecs.yml', fields)
 
     fields = loader.load_schemas(ref=args.ref, included_files=args.include)
+    if args.oss:
+        oss.fallback(fields)
     cleaner.clean(fields, strict=args.strict)
     finalizer.finalize(fields)
     fields = subset_filter.filter(fields, args.subset, out_dir)
@@ -60,20 +63,21 @@ def main():
 
 def argument_parser():
     parser = argparse.ArgumentParser()
-    parser.add_argument('--intermediate-only', action='store_true',
-                        help='generate intermediary files only')
+    parser.add_argument('--ref', action='store', help='git reference to use when building schemas')
     parser.add_argument('--include', nargs='+',
                         help='include user specified directory of custom field definitions')
     parser.add_argument('--subset', nargs='+',
                         help='render a subset of the schema')
-    parser.add_argument('--out', action='store', help='directory to store the generated files')
-    parser.add_argument('--ref', action='store', help='git reference to use when building schemas')
+    parser.add_argument('--out', action='store', help='directory to output the generated files')
     parser.add_argument('--template-settings', action='store',
                         help='index template settings to use when generating elasticsearch template')
     parser.add_argument('--mapping-settings', action='store',
                         help='mapping settings to use when generating elasticsearch template')
+    parser.add_argument('--oss', action='store_true', help='replace basic data types with oss ones where possible')
     parser.add_argument('--strict', action='store_true',
-                        help='enforce stricter checking at schema cleanup')
+                        help='enforce strict checking at schema cleanup')
+    parser.add_argument('--intermediate-only', action='store_true',
+                        help='generate intermediary files only')
     args = parser.parse_args()
     # Clean up empty include of the Makefile
     if args.include and [''] == args.include:
diff --git a/scripts/schema/oss.py b/scripts/schema/oss.py
new file mode 100644
index 0000000000..ba38a254b1
--- /dev/null
+++ b/scripts/schema/oss.py
@@ -0,0 +1,29 @@
+# This script performs a best effort fallback of basic data types to equivalent
+# OSS data types.
+# Note however that not all basic data types have an OSS replacement.
+#
+# The way this script is currently written, it has to be run on the fields *before*
+# the cleaner script applies defaults, as there's no concept of defaults here.
+# But since it navigates using the visitor script, it can easily be moved around
+# in the chain, provided we add support for defaults as well.
+#
+# For now, no warning is output on basic fields that don't have a fallback.
+# This could be improved if ECS starts using such types.
+
+from schema import visitor
+
+TYPE_FALLBACKS = {
+    'wildcard': 'keyword',
+    'version': 'keyword'
+}
+
+
+def fallback(fields):
+    """Verify all fields for basic data type usage, and fallback to an OSS equivalent if appropriate."""
+    visitor.visit_fields(fields, field_func=perform_fallback)
+
+
+def perform_fallback(field):
+    """Performs a best effort fallback of basic data types to equivalent OSS data types."""
+    if field['field_details']['type'] in TYPE_FALLBACKS.keys():
+        field['field_details']['type'] = TYPE_FALLBACKS[field['field_details']['type']]
diff --git a/scripts/tests/unit/test_schema_oss.py b/scripts/tests/unit/test_schema_oss.py
new file mode 100644
index 0000000000..4ac08d9d08
--- /dev/null
+++ b/scripts/tests/unit/test_schema_oss.py
@@ -0,0 +1,35 @@
+import os
+import pprint
+import sys
+import unittest
+
+sys.path.append(os.path.join(os.path.dirname(__file__), '../..'))
+
+from schema import oss
+from schema import visitor
+
+
+class TestSchemaOss(unittest.TestCase):
+
+    def setUp(self):
+        self.maxDiff = None
+
+    def test_wildcard_fallback(self):
+        field = {'field_details': {'name': 'myfield', 'type': 'wildcard'}}
+        oss.perform_fallback(field)
+        self.assertEqual('keyword', field['field_details']['type'])
+
+    def test_version_fallback(self):
+        field = {'field_details': {'name': 'myfield', 'type': 'version'}}
+        oss.perform_fallback(field)
+        self.assertEqual('keyword', field['field_details']['type'])
+
+    def test_basic_without_fallback(self):
+        field = {'field_details': {'name': 'myfield', 'type': 'histogram'}}
+        oss.perform_fallback(field)
+        self.assertEqual('histogram', field['field_details']['type'])
+
+    def test_oss_no_fallback(self):
+        field = {'field_details': {'name': 'myfield', 'type': 'keyword'}}
+        oss.perform_fallback(field)
+        self.assertEqual('keyword', field['field_details']['type'])

From d8471847336d9885cf5dfda1350c9a77212ca2d4 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Fri, 2 Oct 2020 17:04:51 -0400
Subject: [PATCH 20/90] Add network directions ingress and egress (#945) (#997)

---
 CHANGELOG.next.md              |  1 +
 code/go/ecs/network.go         | 23 ++++++++++++++++-------
 docs/field-details.asciidoc    | 12 +++++++++---
 generated/beats/fields.ecs.yml | 20 +++++++++++++-------
 generated/ecs/ecs_flat.yml     | 20 +++++++++++++-------
 generated/ecs/ecs_nested.yml   | 20 +++++++++++++-------
 schemas/network.yml            | 19 ++++++++++++++-----
 7 files changed, 79 insertions(+), 36 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index afd179c547..417377de00 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -21,6 +21,7 @@ Thanks, you're awesome :-) -->
 * Added Mime Type fields to HTTP request and response. #944
 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
 * Added `configuration` as an allowed `event.category`. #963
+* Added network directions ingress and egress. #945
 
 #### Improvements
 
diff --git a/code/go/ecs/network.go b/code/go/ecs/network.go
index e47d15abd2..a696a4e419 100644
--- a/code/go/ecs/network.go
+++ b/code/go/ecs/network.go
@@ -61,6 +61,8 @@ type Network struct {
 
 	// Direction of the network traffic.
 	// Recommended values are:
+	//   * ingress
+	//   * egress
 	//   * inbound
 	//   * outbound
 	//   * internal
@@ -68,10 +70,17 @@ type Network struct {
 	//   * unknown
 	//
 	// When mapping events from a host-based monitoring context, populate this
-	// field from the host's point of view.
+	// field from the host's point of view, using the values "ingress" or
+	// "egress".
 	// When mapping events from a network or perimeter-based monitoring
-	// context, populate this field from the point of view of your network
-	// perimeter.
+	// context, populate this field from the point of view of the network
+	// perimeter, using the values "inbound", "outbound", "internal" or
+	// "external".
+	// Note that "internal" is not crossing perimeter boundaries, and is meant
+	// to describe communication between two hosts within the perimeter. Note
+	// also that "external" is meant to describe traffic between two hosts that
+	// are external to the perimeter. This could for example be useful for ISPs
+	// or VPN service providers.
 	Direction string `ecs:"direction"`
 
 	// Host IP address when the source IP address is the proxy.
@@ -94,9 +103,9 @@ type Network struct {
 	Packets int64 `ecs:"packets"`
 
 	// Network.inner fields are added in addition to network.vlan fields to
-	// describe  the innermost VLAN when q-in-q VLAN tagging is present.
-	// Allowed fields include  vlan.id and vlan.name. Inner vlan fields are
-	// typically used when sending traffic with multiple 802.1q encapsulations
-	// to a network sensor (e.g. Zeek, Wireshark.)
+	// describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
+	// fields include vlan.id and vlan.name. Inner vlan fields are typically
+	// used when sending traffic with multiple 802.1q encapsulations to a
+	// network sensor (e.g. Zeek, Wireshark.)
 	Inner map[string]interface{} `ecs:"inner"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index b716165642..9bd030d0af 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -3356,6 +3356,10 @@ example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=`
 
 Recommended values are:
 
+  * ingress
+
+  * egress
+
   * inbound
 
   * outbound
@@ -3368,9 +3372,11 @@ Recommended values are:
 
 
 
-When mapping events from a host-based monitoring context, populate this field from the host's point of view.
+When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+
+When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
 
-When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.
+Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
 
 type: keyword
 
@@ -3409,7 +3415,7 @@ example: `6`
 // ===============================================================
 
 | network.inner
-| Network.inner fields are added in addition to network.vlan fields to describe  the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include  vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+| Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
 
 type: object
 
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 150ee1d911..807ffd2115 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2622,11 +2622,17 @@
       type: keyword
       ignore_above: 1024
       description: "Direction of the network traffic.\nRecommended values are:\n \
-        \ * inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen\
-        \ mapping events from a host-based monitoring context, populate this field\
-        \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\
-        \ monitoring context, populate this field from the point of view of your network\
-        \ perimeter."
+        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
+        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
+        \ populate this field from the host's point of view, using the values \"ingress\"\
+        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
+        \ context, populate this field from the point of view of the network perimeter,\
+        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
+        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
+        \ to describe communication between two hosts within the perimeter. Note also\
+        \ that \"external\" is meant to describe traffic between two hosts that are\
+        \ external to the perimeter. This could for example be useful for ISPs or\
+        \ VPN service providers."
       example: inbound
     - name: forwarded_ip
       level: core
@@ -2645,8 +2651,8 @@
       level: extended
       type: object
       description: Network.inner fields are added in addition to network.vlan fields
-        to describe  the innermost VLAN when q-in-q VLAN tagging is present. Allowed
-        fields include  vlan.id and vlan.name. Inner vlan fields are typically used
+        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
+        fields include vlan.id and vlan.name. Inner vlan fields are typically used
         when sending traffic with multiple 802.1q encapsulations to a network sensor
         (e.g. Zeek, Wireshark.)
       default_field: false
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index a209023534..08277b4372 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -4019,11 +4019,17 @@ network.community_id:
   type: keyword
 network.direction:
   dashed_name: network-direction
-  description: "Direction of the network traffic.\nRecommended values are:\n  * inbound\n\
-    \  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping events\
-    \ from a host-based monitoring context, populate this field from the host's point\
-    \ of view.\nWhen mapping events from a network or perimeter-based monitoring context,\
-    \ populate this field from the point of view of your network perimeter."
+  description: "Direction of the network traffic.\nRecommended values are:\n  * ingress\n\
+    \  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\
+    \nWhen mapping events from a host-based monitoring context, populate this field\
+    \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\
+    When mapping events from a network or perimeter-based monitoring context, populate\
+    \ this field from the point of view of the network perimeter, using the values\
+    \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\
+    \ is not crossing perimeter boundaries, and is meant to describe communication\
+    \ between two hosts within the perimeter. Note also that \"external\" is meant\
+    \ to describe traffic between two hosts that are external to the perimeter. This\
+    \ could for example be useful for ISPs or VPN service providers."
   example: inbound
   flat_name: network.direction
   ignore_above: 1024
@@ -4058,8 +4064,8 @@ network.iana_number:
 network.inner:
   dashed_name: network-inner
   description: Network.inner fields are added in addition to network.vlan fields to
-    describe  the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields
-    include  vlan.id and vlan.name. Inner vlan fields are typically used when sending
+    describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields
+    include vlan.id and vlan.name. Inner vlan fields are typically used when sending
     traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
   flat_name: network.inner
   level: extended
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 2189a64503..b4fecef933 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4768,11 +4768,17 @@ network:
     network.direction:
       dashed_name: network-direction
       description: "Direction of the network traffic.\nRecommended values are:\n \
-        \ * inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen\
-        \ mapping events from a host-based monitoring context, populate this field\
-        \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\
-        \ monitoring context, populate this field from the point of view of your network\
-        \ perimeter."
+        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
+        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
+        \ populate this field from the host's point of view, using the values \"ingress\"\
+        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
+        \ context, populate this field from the point of view of the network perimeter,\
+        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
+        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
+        \ to describe communication between two hosts within the perimeter. Note also\
+        \ that \"external\" is meant to describe traffic between two hosts that are\
+        \ external to the perimeter. This could for example be useful for ISPs or\
+        \ VPN service providers."
       example: inbound
       flat_name: network.direction
       ignore_above: 1024
@@ -4807,8 +4813,8 @@ network:
     network.inner:
       dashed_name: network-inner
       description: Network.inner fields are added in addition to network.vlan fields
-        to describe  the innermost VLAN when q-in-q VLAN tagging is present. Allowed
-        fields include  vlan.id and vlan.name. Inner vlan fields are typically used
+        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
+        fields include vlan.id and vlan.name. Inner vlan fields are typically used
         when sending traffic with multiple 802.1q encapsulations to a network sensor
         (e.g. Zeek, Wireshark.)
       flat_name: network.inner
diff --git a/schemas/network.yml b/schemas/network.yml
index 4b01088e9a..c6fed904b7 100644
--- a/schemas/network.yml
+++ b/schemas/network.yml
@@ -85,6 +85,8 @@
         Direction of the network traffic.
 
         Recommended values are:
+          * ingress
+          * egress
           * inbound
           * outbound
           * internal
@@ -92,10 +94,17 @@
           * unknown
 
         When mapping events from a host-based monitoring context, populate this
-        field from the host's point of view.
+        field from the host's point of view, using the values "ingress" or "egress".
 
         When mapping events from a network or perimeter-based monitoring context,
-        populate this field from the point of view of your network perimeter.
+        populate this field from the point of view of the network perimeter,
+        using the values "inbound", "outbound", "internal" or "external".
+
+        Note that "internal" is not crossing perimeter boundaries, and is meant
+        to describe communication between two hosts within the perimeter. Note also
+        that "external" is meant to describe traffic between two hosts that are
+        external to the perimeter. This could for example be useful for ISPs or
+        VPN service providers.
       example: inbound
 
     - name: forwarded_ip
@@ -138,14 +147,14 @@
 
         If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
       example: 24
-    
+
     # q-in-q vlan fields for identifying 802.1q nested vlans
     - name: inner
       level: extended
       type: object
       short: Inner VLAN tag information
       description: >
-        Network.inner fields are added in addition to network.vlan fields to describe 
-        the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include 
+        Network.inner fields are added in addition to network.vlan fields to describe
+        the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include
         vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic
         with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)

From 4a49618ff70a199f155031fbb4e46c43779d2952 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 5 Oct 2020 10:40:32 -0400
Subject: [PATCH 21/90] Mention ECS Mapper in the main documentation (#987)
 (#1000)

Co-authored-by: Dan Roscigno <dan@roscigno.com>
---
 docs/converting.asciidoc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/converting.asciidoc b/docs/converting.asciidoc
index 1db1fc7818..b4edd76e1d 100644
--- a/docs/converting.asciidoc
+++ b/docs/converting.asciidoc
@@ -44,3 +44,18 @@ Here's the recommended approach for converting an existing implementation to {ec
 . Set `ecs.version` to the version of the schema you are conforming to. This will
   allow you to upgrade your sources, pipelines and content (like dashboards)
   smoothly in the future.
+
+[float]
+[[ecs-conv-spreasheet]]
+==== Using a spreadsheet to plan your migration
+
+Using a spreadsheet to plan the migration from pre-existing source fields to ECS
+is a common practice. It's a good way to address each of your fields methodically among colleagues.
+
+If the data source is either a structured log, or if you already have a pipeline
+producing events with these non-ECS field names, the tool
+https://github.com/elastic/ecs-mapper[ECS Mapper] may help you get started in performing all of these field renames.
+
+After exporting your mapping spreadsheet to CSV, ECS Mapper will convert your field mapping
+to equivalent pipelines for Beats, Elasticsearch, and Logstash. Learn more at
+https://github.com/elastic/ecs-mapper[ECS Mapper].

From 20ae5e0e359524d17c893549fbf90c0b5db5d2af Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 5 Oct 2020 10:22:53 -0500
Subject: [PATCH 22/90] [1.x] Introduce experimental artifacts (#993) (#1001)

Co-authored-by: Mathieu Martin <webmat@gmail.com>
---
 .gitignore                                    |     4 +
 Makefile                                      |     7 +-
 experimental/README.md                        |    26 +
 experimental/generated/beats/fields.ecs.yml   |  6063 +++++++++
 experimental/generated/csv/fields.csv         |   720 ++
 experimental/generated/ecs/ecs_flat.yml       |  8956 +++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 10663 ++++++++++++++++
 .../generated/elasticsearch/7/template.json   |  3332 +++++
 experimental/schemas/agent.yml                |     5 +
 experimental/schemas/as.yml                   |     5 +
 experimental/schemas/client.yml               |     7 +
 experimental/schemas/destination.yml          |     7 +
 experimental/schemas/dns.yml                  |     7 +
 experimental/schemas/error.yml                |     9 +
 experimental/schemas/event.yml                |     5 +
 experimental/schemas/file.yml                 |     9 +
 experimental/schemas/geo.yml                  |     5 +
 experimental/schemas/host.yml                 |     4 +
 experimental/schemas/http.yml                 |     9 +
 experimental/schemas/log.yml                  |     7 +
 experimental/schemas/organization.yml         |     5 +
 experimental/schemas/os.yml                   |     7 +
 experimental/schemas/pe.yml                   |     5 +
 experimental/schemas/process.yml              |    13 +
 experimental/schemas/registry.yml             |     9 +
 experimental/schemas/server.yml               |     7 +
 experimental/schemas/source.yml               |     7 +
 experimental/schemas/tls.yml                  |    11 +
 experimental/schemas/url.yml                  |    13 +
 experimental/schemas/user.yml                 |    17 +
 experimental/schemas/user_agent.yml           |     5 +
 experimental/schemas/x509.yml                 |     7 +
 32 files changed, 29955 insertions(+), 1 deletion(-)
 create mode 100644 experimental/README.md
 create mode 100644 experimental/generated/beats/fields.ecs.yml
 create mode 100644 experimental/generated/csv/fields.csv
 create mode 100644 experimental/generated/ecs/ecs_flat.yml
 create mode 100644 experimental/generated/ecs/ecs_nested.yml
 create mode 100644 experimental/generated/elasticsearch/7/template.json
 create mode 100644 experimental/schemas/agent.yml
 create mode 100644 experimental/schemas/as.yml
 create mode 100644 experimental/schemas/client.yml
 create mode 100644 experimental/schemas/destination.yml
 create mode 100644 experimental/schemas/dns.yml
 create mode 100644 experimental/schemas/error.yml
 create mode 100644 experimental/schemas/event.yml
 create mode 100644 experimental/schemas/file.yml
 create mode 100644 experimental/schemas/geo.yml
 create mode 100644 experimental/schemas/host.yml
 create mode 100644 experimental/schemas/http.yml
 create mode 100644 experimental/schemas/log.yml
 create mode 100644 experimental/schemas/organization.yml
 create mode 100644 experimental/schemas/os.yml
 create mode 100644 experimental/schemas/pe.yml
 create mode 100644 experimental/schemas/process.yml
 create mode 100644 experimental/schemas/registry.yml
 create mode 100644 experimental/schemas/server.yml
 create mode 100644 experimental/schemas/source.yml
 create mode 100644 experimental/schemas/tls.yml
 create mode 100644 experimental/schemas/url.yml
 create mode 100644 experimental/schemas/user.yml
 create mode 100644 experimental/schemas/user_agent.yml
 create mode 100644 experimental/schemas/x509.yml

diff --git a/.gitignore b/.gitignore
index 20c4de146e..a3cabe1d6a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,7 @@ build
 .idea
 *.iml
 .vscode/*
+
+# experimental exclusions
+experimental/generated/elasticsearch/6
+experimental/generated/docs
diff --git a/Makefile b/Makefile
index 37617d391e..4261504635 100644
--- a/Makefile
+++ b/Makefile
@@ -15,7 +15,7 @@ VERSION          := $(shell cat version)
 # Check verifies that all of the committed files that are generated are
 # up-to-date.
 .PHONY: check
-check: generate test fmt misspell makelint check-license-headers
+check: generate experimental test fmt misspell makelint check-license-headers
 	# Check if diff is empty.
 	git diff | cat
 	git update-index --refresh
@@ -46,6 +46,11 @@ docs:
 	fi
 	./build/docs/build_docs --asciidoctor --doc ./docs/index.asciidoc --chunk=1 $(OPEN_DOCS) --out ./build/html_docs
 
+# Alias to generate experimental artifacts
+.PHONY: experimental
+experimental: ve
+	$(PYTHON) scripts/generator.py --include experimental/schemas --out experimental
+
 # Format code and files in the repo.
 .PHONY: fmt
 fmt: ve
diff --git a/experimental/README.md b/experimental/README.md
new file mode 100644
index 0000000000..c9141e8e6a
--- /dev/null
+++ b/experimental/README.md
@@ -0,0 +1,26 @@
+# ECS Experimental Definitions
+
+ECS experimental definitions are changes and features which have reached [stage two](https://elastic.github.io/ecs/stages.html) in the ECS [RFC process](../rfcs)
+
+Stage two changes only appear in the experimental artifacts in this directory, but aren't yet reflected in the official ECS documentation.
+Note that stage three and four proposals do appear in the official ECS documentation.
+
+These experimental changes to ECS are comprehensive but not necessarily final. They are also still subject to breaking changes.
+
+## Schema Files
+
+The [experimental/schemas](./schemas) directory contains the YAML files for the experimental field definitions. These are not always complete schemas. They can also be supplemental changes to be merged with the official schema spec, using the `--include` generator flag.
+
+If you use the ECS generator script as described in [USAGE.md](../USAGE.md) to maintain your custom index templates, here's how you can try these experimental changes in your project:
+
+```sh
+$ python scripts/generator.py --include experimental/schemas \
+    --include ../myproject/fields/custom/ \
+    --out ../myproject/fields/generated
+```
+
+The above would include all experimental changes to ECS along with your custom fields, and output the artifacts in `myproject/fields/generated`.
+
+## Generated Artifacts
+
+Various files generated based on the experimental ECS spec. The artifacts are generated using `make experimental` and published [here](./generated).
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
new file mode 100644
index 0000000000..35064b122e
--- /dev/null
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -0,0 +1,6063 @@
+# WARNING! Do not edit this file directly, it was generated by the ECS project,
+# based on ECS version 1.7.0-dev.
+# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
+
+- key: ecs
+  title: ECS
+  description: ECS Fields.
+  fields:
+  - name: '@timestamp'
+    level: core
+    required: true
+    type: date
+    description: 'Date/time when the event originated.
+
+      This is the date/time extracted from the event, typically representing when
+      the event was generated by the source.
+
+      If the event source has no original timestamp, this value is typically populated
+      by the first time the event was received by the pipeline.
+
+      Required field for all events.'
+    example: '2016-05-23T08:05:34.853Z'
+  - name: labels
+    level: core
+    type: object
+    object_type: keyword
+    description: 'Custom key/value pairs.
+
+      Can be used to add meta information to events. Should not contain nested objects.
+      All values are stored as keyword.
+
+      Example: `docker` and `k8s` labels.'
+    example: '{"application": "foo-bar", "env": "production"}'
+  - name: message
+    level: core
+    type: text
+    description: 'For log events the message field contains the log message, optimized
+      for viewing in a log viewer.
+
+      For structured logs without an original message field, other fields can be concatenated
+      to form a human-readable summary of the event.
+
+      If multiple messages exist, they can be combined into one message.'
+    example: Hello World
+  - name: tags
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: List of keywords used to tag each event.
+    example: '["production", "env2"]'
+  - name: agent
+    title: Agent
+    group: 2
+    description: 'The agent fields contain the data about the software entity, if
+      any, that collects, detects, or observes events on a host, or takes measurements
+      on a host.
+
+      Examples include Beats. Agents may also run on observers. ECS agent.* fields
+      shall be populated with details of the agent running on the host or observer
+      where the event happened or the measurement was taken.'
+    footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat.
+      For APM, it is the agent running in the app/service. The agent information does
+      not change if data is sent through queuing systems like Kafka, Redis, or processing
+      systems such as Logstash or APM Server.'
+    type: group
+    fields:
+    - name: build.original
+      level: core
+      type: wildcard
+      description: 'Extended build information for the agent.
+
+        This field is intended to contain any build information that a data source
+        may provide, no specific formatting is required.'
+      example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
+        built 2020-02-05 23:10:10 +0000 UTC]
+      default_field: false
+    - name: ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this agent (if one exists).
+
+        This id normally changes across restarts, but `agent.id` does not.'
+      example: 8a4f500f
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of this agent (if one exists).
+
+        Example: For Beats this would be beat.id.'
+      example: 8a4f500d
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Custom name of the agent.
+
+        This is a name that can be given to an agent. This can be helpful if for example
+        two Filebeat instances are running on the same host but a human readable separation
+        is needed on which Filebeat instance data is coming from.
+
+        If no name is given, the name is often left empty.'
+      example: foo
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of the agent.
+
+        The agent type always stays the same and should be given by the agent used.
+        In case of Filebeat the agent would always be Filebeat also if two Filebeat
+        instances are run on the same machine.'
+      example: filebeat
+    - name: version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Version of the agent.
+      example: 6.0.0-rc2
+  - name: as
+    title: Autonomous System
+    group: 2
+    description: An autonomous system (AS) is a collection of connected Internet Protocol
+      (IP) routing prefixes under the control of one or more network operators on
+      behalf of a single administrative entity or domain that presents a common, clearly
+      defined routing policy to the internet.
+    type: group
+    fields:
+    - name: number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: organization.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+  - name: client
+    title: Client
+    group: 2
+    description: 'A client is defined as the initiator of a network connection for
+      events regarding sessions, connections, or bidirectional flow records.
+
+      For TCP events, the client is the initiator of the TCP connection that sends
+      the SYN packet(s). For other protocols, the client is generally the initiator
+      or requestor in the network transaction. Some systems use the term "originator"
+      to refer the client in TCP connections. The client fields describe details about
+      the system acting as the client in the network event. Client fields are usually
+      populated in conjunction with server fields. Client fields are generally not
+      populated for packet-level events.
+
+      Client / server representations can add semantic context to an exchange, which
+      is helpful to visualize the data in certain situations. If your context falls
+      in that category, you should still ensure that source and destination are filled
+      appropriately.'
+    type: group
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event client addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the client to the server.
+      example: 184
+    - name: domain
+      level: core
+      type: wildcard
+      description: Client domain.
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the client (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: MAC address of the client.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated IP of source based NAT sessions (e.g. internal client
+        to internet).
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions (e.g. internal client
+        to internet).
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the client to the server.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the client.
+    - name: registered_domain
+      level: extended
+      type: wildcard
+      description: 'The highest registered client domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: wildcard
+      description: User email address.
+    - name: user.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+    - name: user.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Short name or login of the user.
+      example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: cloud
+    title: Cloud
+    group: 2
+    description: Fields related to the cloud or infrastructure the events are coming
+      from.
+    footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data
+      from its host, the cloud info contains the data about this machine. If Metricbeat
+      runs on a remote machine outside the cloud and fetches data from a service running
+      in the cloud, the field contains cloud data from the machine the service is
+      running on.'
+    type: group
+    fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: account.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      default_field: false
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: project.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      default_field: false
+    - name: project.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      default_field: false
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+  - name: code_signature
+    title: Code Signature
+    group: 2
+    description: These fields contain information about binary code signatures.
+    type: group
+    fields:
+    - name: exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+  - name: container
+    title: Container
+    group: 2
+    description: 'Container fields are used for meta information about the specific
+      container that is the source of information.
+
+      These fields help correlate data based containers from any runtime.'
+    type: group
+    fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: image.tag
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container image tags.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+    - name: runtime
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Runtime managing this container.
+      example: docker
+  - name: destination
+    title: Destination
+    group: 2
+    description: 'Destination fields capture details about the receiver of a network
+      exchange/packet. These fields are populated from a network event, packet, or
+      other event containing details of a network transaction.
+
+      Destination fields are usually populated in conjunction with source fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
+    type: group
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event destination addresses are defined ambiguously. The
+        event will sometimes list an IP, a domain or a unix socket.  You should always
+        store the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the destination to the source.
+      example: 184
+    - name: domain
+      level: core
+      type: wildcard
+      description: Destination domain.
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the destination (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: MAC address of the destination.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the destination to the source.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the destination.
+    - name: registered_domain
+      level: extended
+      type: wildcard
+      description: 'The highest registered destination domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: wildcard
+      description: User email address.
+    - name: user.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+    - name: user.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Short name or login of the user.
+      example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: dll
+    title: DLL
+    group: 2
+    description: 'These fields contain information about code libraries dynamically
+      loaded into processes.
+
+
+      Many operating systems refer to "shared code libraries" with different names,
+      but this field set refers to all of the following:
+
+      * Dynamic-link library (`.dll`) commonly used on Windows
+
+      * Shared Object (`.so`) commonly used on Unix-like operating systems
+
+      * Dynamic library (`.dylib`) commonly used on macOS'
+    type: group
+    fields:
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      default_field: false
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      default_field: false
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+  - name: dns
+    title: DNS
+    group: 2
+    description: 'Fields describing DNS queries and answers.
+
+      DNS events should either represent a single DNS query prior to getting answers
+      (`dns.type:query`) or they should represent a full exchange and contain the
+      query details as well as all of the answers that were provided for this query
+      (`dns.type:answer`).'
+    type: group
+    fields:
+    - name: answers.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The class of DNS data contained in this resource record.
+      example: IN
+    - name: answers.data
+      level: extended
+      type: wildcard
+      description: 'The data describing the resource.
+
+        The meaning of this data depends on the type and class of the resource record.'
+      example: 10.10.10.10
+    - name: answers.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.example.com
+    - name: answers.ttl
+      level: extended
+      type: long
+      description: The time interval in seconds that this resource record may be cached
+        before it should be discarded. Zero values mean that the data should not be
+        cached.
+      example: 180
+    - name: answers.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of data contained in this resource record.
+      example: CNAME
+    - name: header_flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of 2 letter DNS header flags.
+
+        Expected values are: AA, TC, RD, RA, AD, CD, DO.'
+      example: '["RD", "RA"]'
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The DNS packet identifier assigned by the program that generated
+        the query. The identifier is copied to the response.
+      example: 62111
+    - name: op_code
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The DNS operation code that specifies the kind of query in the
+        message. This value is set by the originator of a query and copied into the
+        response.
+      example: QUERY
+    - name: question.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The class of records being queried.
+      example: IN
+    - name: question.name
+      level: extended
+      type: wildcard
+      description: 'The name being queried.
+
+        If the name field contains non-printable characters (below 32 or above 126),
+        those characters should be represented as escaped base 10 integers (\DDD).
+        Back slashes and quotes should be escaped. Tabs, carriage returns, and line
+        feeds should be converted to \t, \r, and \n respectively.'
+      example: www.example.com
+    - name: question.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: question.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain is all of the labels under the registered_domain.
+
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: www
+    - name: question.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: question.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of record being queried.
+      example: AAAA
+    - name: resolved_ip
+      level: extended
+      type: ip
+      description: 'Array containing all IPs seen in `answers.data`.
+
+        The `answers` array can be difficult to use, because of the variety of data
+        formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
+        makes it possible to index them as IP addresses, and makes them easier to
+        visualize and query for.'
+      example: '["10.10.10.10", "10.10.10.11"]'
+    - name: response_code
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The DNS response code.
+      example: NOERROR
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of DNS event captured, query or answer.
+
+        If your source of DNS events only gives you DNS queries, you should only create
+        dns events of type `dns.type:query`.
+
+        If your source of DNS events gives you answers as well, you should create
+        one event per query (optionally as soon as the query is seen). And a second
+        event containing all query details as well as an array of answers.'
+      example: answer
+  - name: ecs
+    title: ECS
+    group: 2
+    description: Meta-information specific to ECS.
+    type: group
+    fields:
+    - name: version
+      level: core
+      required: true
+      type: keyword
+      ignore_above: 1024
+      description: 'ECS version this event conforms to. `ecs.version` is a required
+        field and must exist in all events.
+
+        When querying across multiple indices -- which may conform to slightly different
+        ECS versions -- this field lets integrations adjust to the schema version
+        of the events.'
+      example: 1.0.0
+  - name: error
+    title: Error
+    group: 2
+    description: 'These fields can represent errors of any kind.
+
+      Use them for errors that happen while fetching events or in cases where the
+      event itself contains an error.'
+    type: group
+    fields:
+    - name: code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Error code describing the error.
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the error.
+    - name: message
+      level: core
+      type: text
+      description: Error message.
+    - name: stack_trace
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: The stack trace of this error in plain text.
+      index: true
+    - name: type
+      level: extended
+      type: wildcard
+      description: The type of the error, for example the class name of the exception.
+      example: java.lang.NullPointerException
+  - name: event
+    title: Event
+    group: 2
+    description: 'The event fields are used for context information about the log
+      or metric event itself.
+
+      A log is defined as an event containing details of something that happened.
+      Log events must include the time at which the thing happened. Examples of log
+      events include a process starting on a host, a network packet being sent from
+      a source to a destination, or a network connection between a client and a server
+      being initiated or closed. A metric is defined as an event containing one or
+      more numerical measurements and the time at which the measurement was taken.
+      Examples of metric events include memory pressure measured on a host and device
+      temperature. See the `event.kind` definition in this section for additional
+      details about metric and state events.'
+    type: group
+    fields:
+    - name: action
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The action captured by the event.
+
+        This describes the information in the event. It is more specific than `event.category`.
+        Examples are `group-add`, `process-started`, `file-created`. The value is
+        normally defined by the implementer.'
+      example: user-password-change
+    - name: category
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        second level in the ECS category hierarchy.
+
+        `event.category` represents the "big buckets" of ECS categories. For example,
+        filtering on `event.category:process` yields all events relating to process
+        activity. This field is closely related to `event.type`, which is used as
+        a subcategory.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple categories.'
+      example: authentication
+    - name: code
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Identification code for this event, if one exists.
+
+        Some event sources use event codes to identify messages unambiguously, regardless
+        of message language or wording adjustments over time. An example of this is
+        the Windows Event ID.'
+      example: 4648
+    - name: created
+      level: core
+      type: date
+      description: 'event.created contains the date/time when the event was first
+        read by an agent, or by your pipeline.
+
+        This field is distinct from @timestamp in that @timestamp typically contain
+        the time extracted from the original event.
+
+        In most situations, these two timestamps will be slightly different. The difference
+        can be used to calculate the delay between your source generating an event,
+        and the time when your agent first processed it. This can be used to monitor
+        your agent''s or pipeline''s ability to keep up with your event source.
+
+        In case the two timestamps are identical, @timestamp should be used.'
+      example: '2016-05-23T08:05:34.857Z'
+    - name: dataset
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+    - name: duration
+      level: core
+      type: long
+      format: duration
+      input_format: nanoseconds
+      output_format: asMilliseconds
+      output_precision: 1
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+    - name: end
+      level: extended
+      type: date
+      description: event.end contains the date when the event ended or when the activity
+        was last observed.
+    - name: hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Hash (perhaps logstash fingerprint) of raw field to be able to
+        demonstrate log integrity.
+      example: 123456789012345678901234567890ABCD
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique ID to describe the event.
+      example: 8a4f500d
+    - name: ingested
+      level: core
+      type: date
+      description: 'Timestamp when an event arrived in the central data store.
+
+        This is different from `@timestamp`, which is when the event originally occurred.  It''s
+        also different from `event.created`, which is meant to capture the first time
+        an agent saw the event.
+
+        In normal conditions, assuming no tampering, the timestamps should chronologically
+        look like this: `@timestamp` < `event.created` < `event.ingested`.'
+      example: '2016-05-23T08:05:35.101Z'
+      default_field: false
+    - name: kind
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        highest level in the ECS category hierarchy.
+
+        `event.kind` gives high-level information about what type of information the
+        event contains, without being specific to the contents of the event. For example,
+        values of this field distinguish alert events from metric events.
+
+        The value of this field can be used to inform how these kinds of events should
+        be handled. They may warrant different retention, different access control,
+        it may also help understand whether the data coming in at a regular interval
+        or not.'
+      example: alert
+    - name: module
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+    - name: original
+      level: core
+      type: wildcard
+      description: 'Raw text message of entire event. Used to demonstrate log integrity.
+
+        This field is not indexed and doc_values are disabled. It cannot be searched,
+        but it can be retrieved from `_source`.'
+      example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
+        worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
+      index: false
+    - name: outcome
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        lowest level in the ECS category hierarchy.
+
+        `event.outcome` simply denotes whether the event represents a success or a
+        failure from the perspective of the entity that produced the event.
+
+        Note that when a single transaction is described in multiple events, each
+        event may populate different values of `event.outcome`, according to their
+        perspective.
+
+        Also note that in the case of a compound event (a single event that contains
+        multiple logical events), this field should be populated with the value that
+        best captures the overall success or failure from the perspective of the event
+        producer.
+
+        Further note that not all events will have an associated outcome. For example,
+        this field is generally not populated for metric events, events with `event.type:info`,
+        or any events for which an outcome does not make logical sense.'
+      example: success
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Source of the event.
+
+        Event transports such as Syslog or the Windows Event Log typically mention
+        the source of an event. It can be the name of the software that generated
+        the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
+        (kernel, Microsoft-Windows-Security-Auditing).'
+      example: kernel
+    - name: reason
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Reason why this event happened, according to the source.
+
+        This describes the why of a particular action or outcome captured in the event.
+        Where `event.action` captures the action from the event, `event.reason` describes
+        why that action was taken. For example, a web proxy with an `event.action`
+        which denied the request may also populate `event.reason` with the reason
+        why (e.g. `blocked site`).'
+      example: Terminated an unexpected process
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Reference URL linking to additional information about this event.
+
+        This URL links to a static definition of the this event. Alert events, indicated
+        by `event.kind:alert`, are a common use case for this field.'
+      example: https://system.example.com/event/#0001234
+      default_field: false
+    - name: risk_score
+      level: core
+      type: float
+      description: Risk score or priority of the event (e.g. security solutions).
+        Use your system's original value here.
+    - name: risk_score_norm
+      level: extended
+      type: float
+      description: 'Normalized risk score or priority of the event, on a scale of
+        0 to 100.
+
+        This is mainly useful if you use more than one system that assigns risk scores,
+        and you want to see a normalized value across all systems.'
+    - name: sequence
+      level: extended
+      type: long
+      format: string
+      description: 'Sequence number of the event.
+
+        The sequence number is a value published by some event sources, to make the
+        exact ordering of events unambiguous, regardless of the timestamp precision.'
+    - name: severity
+      level: core
+      type: long
+      format: string
+      description: 'The numeric severity of the event according to your event source.
+
+        What the different severity values mean can be different between sources and
+        use cases. It''s up to the implementer to make sure severities are consistent
+        across events from the same source.
+
+        The Syslog severity belongs in `log.syslog.severity.code`. `event.severity`
+        is meant to represent the severity according to the event source (e.g. firewall,
+        IDS). If the event source does not publish its own severity, you may optionally
+        copy the `log.syslog.severity.code` to `event.severity`.'
+      example: 7
+    - name: start
+      level: extended
+      type: date
+      description: event.start contains the date when the event started or when the
+        activity was first observed.
+    - name: timezone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'This field should be populated when the event''s timestamp does
+        not include timezone information already (e.g. default Syslog timestamps).
+        It''s optional otherwise.
+
+        Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
+        abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        third level in the ECS category hierarchy.
+
+        `event.type` represents a categorization "sub-bucket" that, when used along
+        with the `event.category` field values, enables filtering events down to a
+        level appropriate for single visualization.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple event types.'
+    - name: url
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'URL linking to an external system to continue investigation of
+        this event.
+
+        This URL links to another system where in-depth investigation of the specific
+        occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
+        are a common use case for this field.'
+      example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+      default_field: false
+  - name: file
+    title: File
+    group: 2
+    description: 'A file is defined as a set of information that has been created
+      on, or has existed on a filesystem.
+
+      File objects can be associated with host events, network events, and/or file
+      events (e.g., those produced by File Integrity Monitoring [FIM] products or
+      services). File fields provide details about the affected file associated with
+      the event or metric.'
+    type: group
+    fields:
+    - name: accessed
+      level: extended
+      type: date
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
+    - name: attributes
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
+      default_field: false
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: created
+      level: extended
+      type: date
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
+    - name: ctime
+      level: extended
+      type: date
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+    - name: device
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Device that is the source of the file.
+      example: sda
+    - name: directory
+      level: extended
+      type: wildcard
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
+    - name: drive_letter
+      level: extended
+      type: keyword
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
+      default_field: false
+    - name: extension
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File extension.
+      example: png
+    - name: gid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group ID (GID) of the file.
+      example: '1001'
+    - name: group
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group name of the file.
+      example: alice
+    - name: hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+    - name: hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+    - name: hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+    - name: hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+    - name: inode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Inode representing the file in the filesystem.
+      example: '256383'
+    - name: mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
+      default_field: false
+    - name: mode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mode of the file in octal representation.
+      example: '0640'
+    - name: mtime
+      level: extended
+      type: date
+      description: Last time the file content was modified.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the file including the extension, without the directory.
+      example: example.png
+    - name: owner
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File owner's username.
+      example: alice
+    - name: path
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+    - name: target_path
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Target path for symlinks.
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
+    - name: uid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+    - name: x509.alternative_names
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: x509.issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: x509.issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) codes
+      example: US
+      default_field: false
+    - name: x509.issuer.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      default_field: false
+    - name: x509.issuer.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
+      default_field: false
+    - name: x509.issuer.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      default_field: false
+    - name: x509.issuer.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      default_field: false
+    - name: x509.issuer.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: x509.public_key_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Algorithm used to generate the public key.
+      example: RSA
+      default_field: false
+    - name: x509.public_key_curve
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      default_field: false
+    - name: x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      default_field: false
+    - name: x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: x509.serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      default_field: false
+    - name: x509.signature_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      default_field: false
+    - name: x509.subject.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      default_field: false
+    - name: x509.subject.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) code
+      example: US
+      default_field: false
+    - name: x509.subject.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      default_field: false
+    - name: x509.subject.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
+      default_field: false
+    - name: x509.subject.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      default_field: false
+    - name: x509.subject.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of subject.
+      default_field: false
+    - name: x509.subject.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: x509.version_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
+      default_field: false
+  - name: geo
+    title: Geo
+    group: 2
+    description: 'Geo fields can carry data about a specific location related to an
+      event.
+
+      This geolocation information can be derived from techniques such as Geo IP,
+      or be user-supplied.'
+    type: group
+    fields:
+    - name: city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+  - name: group
+    title: Group
+    group: 2
+    description: The group fields are meant to represent groups that are relevant
+      to the event.
+    type: group
+    fields:
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+  - name: hash
+    title: Hash
+    group: 2
+    description: 'The hash fields represent different hash algorithms and their values.
+
+      Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
+      other hashes by lowercasing the hash algorithm name and using underscore separators
+      as appropriate (snake case, e.g. sha3_512).'
+    type: group
+    fields:
+    - name: md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+    - name: sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+    - name: sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+    - name: sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+  - name: host
+    title: Host
+    group: 2
+    description: 'A host is defined as a general computing instance.
+
+      ECS host.* fields should be populated with details about the host on which the
+      event happened, or from which the measurement was taken. Host types include
+      hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+    type: group
+    fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain
+        or NetBIOS domain name. For Linux this could be the domain of the host''s
+        LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: hostname
+      level: core
+      type: wildcard
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm,
+        this could be the container, for example, or other information meaningful
+        in your environment.'
+    - name: uptime
+      level: extended
+      type: long
+      description: Seconds the host has been up.
+      example: 1325
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: wildcard
+      description: User email address.
+    - name: user.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+    - name: user.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Short name or login of the user.
+      example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: http
+    title: HTTP
+    group: 2
+    description: Fields related to HTTP activity. Use the `url` field set to store
+      the url of the request.
+    type: group
+    fields:
+    - name: request.body.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Size in bytes of the request body.
+      example: 887
+    - name: request.body.content
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: The full HTTP request body.
+      example: Hello world
+    - name: request.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Total size in bytes of the request (body and headers).
+      example: 1437
+    - name: request.method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        Prior to ECS 1.6.0 the following guidance was provided:
+
+        "The field value must be normalized to lowercase for querying."
+
+        As of ECS 1.6.0, the guidance is deprecated because the original case of the
+        method may be useful in anomaly detection.  Original case will be mandated
+        in ECS 2.0.0'
+      example: GET, POST, PUT, PoST
+    - name: request.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      default_field: false
+    - name: request.referrer
+      level: extended
+      type: wildcard
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: response.body.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Size in bytes of the response body.
+      example: 887
+    - name: response.body.content
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: The full HTTP response body.
+      example: Hello world
+    - name: response.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Total size in bytes of the response (body and headers).
+      example: 1437
+    - name: response.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      default_field: false
+    - name: response.status_code
+      level: extended
+      type: long
+      format: string
+      description: HTTP response status code.
+      example: 404
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: HTTP version.
+      example: 1.1
+  - name: interface
+    title: Interface
+    group: 2
+    description: The interface fields are used to record ingress and egress interface
+      information when reported by an observer (e.g. firewall, router, load balancer)
+      in the context of the observer handling a network connection.  In the case of
+      a single observer interface (e.g. network sensor on a span port) only the observer.ingress
+      information should be populated.
+    type: group
+    fields:
+    - name: alias
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface alias as reported by the system, typically used in firewall
+        implementations for e.g. inside, outside, or dmz logical interface naming.
+      example: outside
+      default_field: false
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface ID as reported by an observer (typically SNMP interface
+        ID).
+      example: 10
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface name as reported by the system.
+      example: eth0
+      default_field: false
+  - name: log
+    title: Log
+    group: 2
+    description: 'Details about the event''s logging mechanism or logging transport.
+
+      The log.* fields are typically populated with details about the logging mechanism
+      used to create and/or transport the event. For example, syslog details belong
+      under `log.syslog.*`.
+
+      The details specific to your event source are typically not logged under `log.*`,
+      but rather in `event.*` or in other ECS fields.'
+    type: group
+    fields:
+    - name: file.path
+      level: extended
+      type: wildcard
+      description: 'Full path to the log file this event came from, including the
+        file name. It should include the drive letter, when appropriate.
+
+        If the event wasn''t read from a log file, do not populate this field.'
+      example: /var/log/fun-times.log
+      default_field: false
+    - name: level
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+    - name: logger
+      level: core
+      type: wildcard
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+    - name: origin.file.line
+      level: extended
+      type: integer
+      description: The line number of the file containing the source code which originated
+        the log event.
+      example: 42
+    - name: origin.file.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The name of the file containing the source code which originated
+        the log event.
+
+        Note that this field is not meant to capture the log file. The correct field
+        to capture the log file is `log.file.path`.'
+      example: Bootstrap.java
+    - name: origin.function
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The name of the function or method which originated the log event.
+      example: init
+    - name: original
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'This is the original log message and contains the full log message
+        before splitting it up in multiple parts.
+
+        In contrast to the `message` field which can contain an extracted part of
+        the log message, this field contains the original, full log message. It can
+        have already some modifications applied like encoding or new lines removed
+        to clean up the log message.
+
+        This field is not indexed and doc_values are disabled so it can''t be queried
+        but the value can be retrieved from `_source`.'
+      example: Sep 19 08:26:10 localhost My log
+      index: false
+    - name: syslog
+      level: extended
+      type: object
+      description: The Syslog metadata of the event, if the event was transmitted
+        via Syslog. Please see RFCs 5424 or 3164.
+    - name: syslog.facility.code
+      level: extended
+      type: long
+      format: string
+      description: 'The Syslog numeric facility of the log event, if available.
+
+        According to RFCs 5424 and 3164, this value should be an integer between 0
+        and 23.'
+      example: 23
+    - name: syslog.facility.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The Syslog text-based facility of the log event, if available.
+      example: local7
+    - name: syslog.priority
+      level: extended
+      type: long
+      format: string
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+    - name: syslog.severity.code
+      level: extended
+      type: long
+      description: 'The Syslog numeric severity of the log event, if available.
+
+        If the event source publishing via Syslog provides a different numeric severity
+        value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
+        If the event source does not specify a distinct severity, you can optionally
+        copy the Syslog severity to `event.severity`.'
+      example: 3
+    - name: syslog.severity.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The Syslog numeric severity of the log event, if available.
+
+        If the event source publishing via Syslog provides a different severity value
+        (e.g. firewall, IDS), your source''s text severity should go to `log.level`.
+        If the event source does not specify a distinct severity, you can optionally
+        copy the Syslog severity to `log.level`.'
+      example: Error
+  - name: network
+    title: Network
+    group: 2
+    description: 'The network is defined as the communication path over which a host
+      or network event happens.
+
+      The network.* fields should be populated with details about the network activity
+      associated with an event.'
+    type: group
+    fields:
+    - name: application
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A name given to an application level protocol. This can be arbitrarily
+        assigned for things like microservices, but also apply to things like skype,
+        icq, facebook, twitter. This would be used in situations where the vendor
+        or service can be decoded such as from the source/dest IP owners, ports, or
+        wire format.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: aim
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: 'Total bytes transferred in both directions.
+
+        If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+        sum.'
+      example: 368
+    - name: community_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of source and destination IPs and ports, as well as the
+        protocol used in a communication. This is a tool-agnostic standard to identify
+        flows.
+
+        Learn more at https://github.com/corelight/community-id-spec.'
+      example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+    - name: direction
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Direction of the network traffic.\nRecommended values are:\n \
+        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
+        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
+        \ populate this field from the host's point of view, using the values \"ingress\"\
+        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
+        \ context, populate this field from the point of view of the network perimeter,\
+        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
+        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
+        \ to describe communication between two hosts within the perimeter. Note also\
+        \ that \"external\" is meant to describe traffic between two hosts that are\
+        \ external to the perimeter. This could for example be useful for ISPs or\
+        \ VPN service providers."
+      example: inbound
+    - name: forwarded_ip
+      level: core
+      type: ip
+      description: Host IP address when the source IP address is the proxy.
+      example: 192.1.1.2
+    - name: iana_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
+        Standardized list of protocols. This aligns well with NetFlow and sFlow related
+        logs which use the IANA Protocol Number.
+      example: 6
+    - name: inner
+      level: extended
+      type: object
+      description: Network.inner fields are added in addition to network.vlan fields
+        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
+        fields include vlan.id and vlan.name. Inner vlan fields are typically used
+        when sending traffic with multiple 802.1q encapsulations to a network sensor
+        (e.g. Zeek, Wireshark.)
+      default_field: false
+    - name: inner.vlan.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: VLAN ID as reported by the observer.
+      example: 10
+      default_field: false
+    - name: inner.vlan.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name given by operators to sections of their network.
+      example: Guest Wifi
+    - name: packets
+      level: core
+      type: long
+      description: 'Total packets transferred in both directions.
+
+        If `source.packets` and `destination.packets` are known, `network.packets`
+        is their sum.'
+      example: 24
+    - name: protocol
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: http
+    - name: transport
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Same as network.iana_number, but instead using the Keyword name
+        of the transport layer (udp, tcp, ipv6-icmp, etc.)
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: tcp
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
+        ipsec, pim, etc
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: ipv4
+    - name: vlan.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: VLAN ID as reported by the observer.
+      example: 10
+      default_field: false
+    - name: vlan.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      default_field: false
+  - name: observer
+    title: Observer
+    group: 2
+    description: 'An observer is defined as a special network, security, or application
+      device used to detect, observe, or create network, security, or application-related
+      events and metrics.
+
+      This could be a custom hardware appliance or a server that has been configured
+      to run special network, security, or application software. Examples include
+      firewalls, web proxies, intrusion detection/prevention systems, network monitoring
+      sensors, web application firewalls, data loss prevention systems, and APM servers.
+      The observer.* fields shall be populated with details of the system, if any,
+      that detects, observes and/or creates a network, security, or application event
+      or metric. Message queues and ETL components used in processing events or metrics
+      are not considered observers in ECS.'
+    type: group
+    fields:
+    - name: egress
+      level: extended
+      type: object
+      description: Observer.egress holds information like interface number and name,
+        vlan, and zone information to  classify egress traffic.  Single armed monitoring
+        such as a network sensor on a span port should  only use observer.ingress
+        to categorize traffic.
+      default_field: false
+    - name: egress.interface.alias
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface alias as reported by the system, typically used in firewall
+        implementations for e.g. inside, outside, or dmz logical interface naming.
+      example: outside
+      default_field: false
+    - name: egress.interface.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface ID as reported by an observer (typically SNMP interface
+        ID).
+      example: 10
+      default_field: false
+    - name: egress.interface.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface name as reported by the system.
+      example: eth0
+      default_field: false
+    - name: egress.vlan.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: VLAN ID as reported by the observer.
+      example: 10
+      default_field: false
+    - name: egress.vlan.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      default_field: false
+    - name: egress.zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Network zone of outbound traffic as reported by the observer to
+        categorize the destination area of egress  traffic, e.g. Internal, External,
+        DMZ, HR, Legal, etc.
+      example: Public_Internet
+      default_field: false
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Hostname of the observer.
+    - name: ingress
+      level: extended
+      type: object
+      description: Observer.ingress holds information like interface number and name,
+        vlan, and zone information to  classify ingress traffic.  Single armed monitoring
+        such as a network sensor on a span port should  only use observer.ingress
+        to categorize traffic.
+      default_field: false
+    - name: ingress.interface.alias
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface alias as reported by the system, typically used in firewall
+        implementations for e.g. inside, outside, or dmz logical interface naming.
+      example: outside
+      default_field: false
+    - name: ingress.interface.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface ID as reported by an observer (typically SNMP interface
+        ID).
+      example: 10
+      default_field: false
+    - name: ingress.interface.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Interface name as reported by the system.
+      example: eth0
+      default_field: false
+    - name: ingress.vlan.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: VLAN ID as reported by the observer.
+      example: 10
+      default_field: false
+    - name: ingress.vlan.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      default_field: false
+    - name: ingress.zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Network zone of incoming traffic as reported by the observer to
+        categorize the source area of ingress  traffic. e.g. internal, External, DMZ,
+        HR, Legal, etc.
+      example: DMZ
+      default_field: false
+    - name: ip
+      level: core
+      type: ip
+      description: IP addresses of the observer.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: MAC addresses of the observer
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Custom name of the observer.
+
+        This is a name that can be given to an observer. This can be helpful for example
+        if multiple firewalls of the same model are used in an organization.
+
+        If no custom name is needed, the field can be left empty.'
+      example: 1_proxySG
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The product name of the observer.
+      example: s200
+    - name: serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Observer serial number.
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the observer the data is coming from.
+
+        There is no predefined list of observer types. Some examples are `forwarder`,
+        `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
+      example: firewall
+    - name: vendor
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Vendor name of the observer.
+      example: Symantec
+    - name: version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Observer version.
+  - name: organization
+    title: Organization
+    group: 2
+    description: 'The organization fields enrich data with information about the company
+      or entity the data is associated with.
+
+      These fields help you arrange or filter data stored in an index by one or multiple
+      organizations.'
+    type: group
+    fields:
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the organization.
+    - name: name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Organization name.
+  - name: os
+    title: Operating System
+    group: 2
+    description: The OS fields contain information about the operating system.
+    type: group
+    fields:
+    - name: family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+    - name: kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+  - name: package
+    title: Package
+    group: 2
+    description: These fields contain information about an installed software package.
+      It contains general information about a package, such as name, version or size.
+      It also contains installation details, such as time or location.
+    type: group
+    fields:
+    - name: architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package architecture.
+      example: x86_64
+    - name: build_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the build version of the installed
+        package.
+
+        For example use the commit SHA of a non-released package.'
+      example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+      default_field: false
+    - name: checksum
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Checksum of the installed package for verification.
+      example: 68b329da9893e34099c7d8ad5cb9c940
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Description of the package.
+      example: Open source programming language to build simple/reliable/efficient
+        software.
+    - name: install_scope
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Indicating how the package was installed, e.g. user-local, global.
+      example: global
+    - name: installed
+      level: extended
+      type: date
+      description: Time when package was installed.
+    - name: license
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'License under which the package was released.
+
+        Use a short name, e.g. the license identifier from SPDX License List where
+        possible (https://spdx.org/licenses/).'
+      example: Apache License 2.0
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package name
+      example: go
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Path where the package is installed.
+      example: /usr/local/Cellar/go/1.12.9/
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Home page or reference URL of the software in this package, if
+        available.
+      example: https://golang.org
+      default_field: false
+    - name: size
+      level: extended
+      type: long
+      format: string
+      description: Package size in bytes.
+      example: 62231
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of package.
+
+        This should contain the package file type, rather than the package manager
+        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
+      example: rpm
+      default_field: false
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Package version
+      example: 1.12.9
+  - name: pe
+    title: PE Header
+    group: 2
+    description: These fields contain Windows Portable Executable (PE) metadata.
+    type: group
+    fields:
+    - name: architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+  - name: process
+    title: Process
+    group: 2
+    description: 'These fields contain information about a process.
+
+      These fields can help you correlate metrics information with a process id/name
+      from a log message.  The `process.pid` often stays in the metric itself and
+      is copied to the global field for correlation.'
+    type: group
+    fields:
+    - name: args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+    - name: args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: executable
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+    - name: exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+    - name: hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+    - name: hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+    - name: hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+    - name: name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+    - name: parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: parent.executable
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: parent.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: parent.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: parent.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: parent.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: parent.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: parent.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: parent.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: parent.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: parent.pe.original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: parent.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: parent.pgid
+      level: extended
+      type: long
+      format: string
+      description: Identifier of the group of processes the process belongs to.
+      default_field: false
+    - name: parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: parent.ppid
+      level: extended
+      type: long
+      format: string
+      description: Parent process' pid.
+      example: 4241
+      default_field: false
+    - name: parent.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: parent.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: parent.title
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: parent.working_directory
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: pgid
+      level: extended
+      type: long
+      format: string
+      description: Identifier of the group of processes the process belongs to.
+    - name: pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+    - name: ppid
+      level: extended
+      type: long
+      format: string
+      description: Parent process' pid.
+      example: 4241
+    - name: start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+    - name: thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+    - name: thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+    - name: title
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+    - name: uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+    - name: working_directory
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: The working directory of the process.
+      example: /home/alice
+  - name: registry
+    title: Registry
+    group: 2
+    description: Fields related to Windows Registry operations.
+    type: group
+    fields:
+    - name: data.bytes
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      default_field: false
+    - name: data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: data.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      default_field: false
+    - name: hive
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Abbreviated name for the hive.
+      example: HKLM
+      default_field: false
+    - name: key
+      level: core
+      type: wildcard
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      default_field: false
+    - name: path
+      level: core
+      type: wildcard
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
+      default_field: false
+    - name: value
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the value written.
+      example: Debugger
+      default_field: false
+  - name: related
+    title: Related
+    group: 2
+    description: 'This field set is meant to facilitate pivoting around a piece of
+      data.
+
+      Some pieces of information can be seen in many places in an ECS event. To facilitate
+      searching for them, store an array of all seen values to their corresponding
+      field in `related.`.
+
+      A concrete example is IP addresses, which can be under host, observer, source,
+      destination, client, server, and network.forwarded_ip. If you append all IPs
+      to `related.ip`, you can then search for a given IP trivially, no matter where
+      it appeared, by querying `related.ip:192.0.2.15`.'
+    type: group
+    fields:
+    - name: hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
+      default_field: false
+    - name: hosts
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      default_field: false
+    - name: ip
+      level: extended
+      type: ip
+      description: All of the IPs seen on your event.
+    - name: user
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the user names seen on your event.
+      default_field: false
+  - name: rule
+    title: Rule
+    group: 2
+    description: 'Rule fields are used to capture the specifics of any observer or
+      agent rules that generate alerts or other notable events.
+
+      Examples of data sources that would populate the rule fields include: network
+      admission control platforms, network or host IDS/IPS, network firewalls, web
+      application firewalls, url filters, endpoint detection and response (EDR) systems,
+      etc.'
+    type: group
+    fields:
+    - name: author
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name, organization, or pseudonym of the author or authors who created
+        the rule used to generate this event.
+      example: '["Star-Lord"]'
+      default_field: false
+    - name: category
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A categorization value keyword used by the entity using the rule
+        for detection of this event.
+      example: Attempted Information Leak
+      default_field: false
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The description of the rule generating the event.
+      example: Block requests to public DNS over HTTPS / TLS protocols
+      default_field: false
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A rule ID that is unique within the scope of an agent, observer,
+        or other entity using the rule for detection of this event.
+      example: 101
+      default_field: false
+    - name: license
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the license under which the rule used to generate this
+        event is made available.
+      example: Apache 2.0
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The name of the rule or signature generating the event.
+      example: BLOCK_DNS_over_TLS
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Reference URL to additional information about the rule used to
+        generate this event.
+
+        The URL can point to the vendor''s documentation about the rule. If that''s
+        not available, it can also be a link to a more general page describing this
+        type of alert.'
+      example: https://en.wikipedia.org/wiki/DNS_over_TLS
+      default_field: false
+    - name: ruleset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the ruleset, policy, group, or parent category in which
+        the rule used to generate this event is a member.
+      example: Standard_Protocol_Filters
+      default_field: false
+    - name: uuid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A rule ID that is unique within the scope of a set or group of
+        agents, observers, or other entities using the rule for detection of this
+        event.
+      example: 1100110011
+      default_field: false
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version / revision of the rule being used for analysis.
+      example: 1.1
+      default_field: false
+  - name: server
+    title: Server
+    group: 2
+    description: 'A Server is defined as the responder in a network connection for
+      events regarding sessions, connections, or bidirectional flow records.
+
+      For TCP events, the server is the receiver of the initial SYN packet(s) of the
+      TCP connection. For other protocols, the server is generally the responder in
+      the network transaction. Some systems actually use the term "responder" to refer
+      the server in TCP connections. The server fields describe details about the
+      system acting as the server in the network event. Server fields are usually
+      populated in conjunction with client fields. Server fields are generally not
+      populated for packet-level events.
+
+      Client / server representations can add semantic context to an exchange, which
+      is helpful to visualize the data in certain situations. If your context falls
+      in that category, you should still ensure that source and destination are filled
+      appropriately.'
+    type: group
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event server addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the server to the client.
+      example: 184
+    - name: domain
+      level: core
+      type: wildcard
+      description: Server domain.
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the server (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: MAC address of the server.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the server to the client.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the server.
+    - name: registered_domain
+      level: extended
+      type: wildcard
+      description: 'The highest registered server domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: wildcard
+      description: User email address.
+    - name: user.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+    - name: user.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Short name or login of the user.
+      example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: service
+    title: Service
+    group: 2
+    description: 'The service fields describe the service for or from which the data
+      was collected.
+
+      These fields help you find and correlate logs for a specific service and version.'
+    type: group
+    fields:
+    - name: ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+    - name: node.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+    - name: state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+    - name: version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+  - name: source
+    title: Source
+    group: 2
+    description: 'Source fields capture details about the sender of a network exchange/packet.
+      These fields are populated from a network event, packet, or other event containing
+      details of a network transaction.
+
+      Source fields are usually populated in conjunction with destination fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
+    type: group
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+    - name: domain
+      level: core
+      type: wildcard
+      description: Source domain.
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: MAC address of the source.
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+    - name: registered_domain
+      level: extended
+      type: wildcard
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: wildcard
+      description: User email address.
+    - name: user.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+    - name: user.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Short name or login of the user.
+      example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: threat
+    title: Threat
+    group: 2
+    description: "Fields to classify events and alerts according to a threat taxonomy\
+      \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
+      \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
+      \ The threat.tactic.* are meant to capture the high level category of the threat\
+      \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
+      \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
+      \ \"endpoint denial of service\")."
+    type: group
+    fields:
+    - name: framework
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the threat framework used to further categorize and classify
+        the tactic and technique of the reported threat. Framework classification
+        can be provided by detecting systems, evaluated at ingest time, or retrospectively
+        tagged to events.
+      example: MITRE ATT&CK
+    - name: tactic.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+      example: TA0002
+    - name: tactic.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the type of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+      example: Execution
+    - name: tactic.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The reference url of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
+        \ )"
+      example: https://attack.mitre.org/tactics/TA0002/
+    - name: technique.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: T1059
+    - name: technique.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: "The name of technique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: Command and Scripting Interpreter
+    - name: technique.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The reference url of technique used by this threat. You can use\
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: https://attack.mitre.org/techniques/T1059/
+    - name: technique.subtechnique.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The full id of subtechnique used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: T1059.001
+      default_field: false
+    - name: technique.subtechnique.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: "The name of subtechnique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: PowerShell
+      default_field: false
+    - name: technique.subtechnique.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The reference url of subtechnique used by this threat. You can\
+        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: https://attack.mitre.org/techniques/T1059/001/
+      default_field: false
+  - name: tls
+    title: TLS
+    group: 2
+    description: Fields related to a TLS connection. These fields focus on the TLS
+      protocol itself and intentionally avoids in-depth analysis of the related x.509
+      certificate files.
+    type: group
+    fields:
+    - name: cipher
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: String indicating the cipher used during the current connection.
+      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+      default_field: false
+    - name: client.certificate
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PEM-encoded stand-alone certificate offered by the client. This
+        is usually mutually-exclusive of `client.certificate_chain` since this value
+        also exists in that list.
+      example: MII...
+      default_field: false
+    - name: client.certificate_chain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of PEM-encoded certificates that make up the certificate
+        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
+        since that value should be the first certificate in the chain.
+      example: '["MII...", "MII..."]'
+      default_field: false
+    - name: client.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Certificate fingerprint using the MD5 digest of DER-encoded version
+        of certificate offered by the client. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      default_field: false
+    - name: client.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the client. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      default_field: false
+    - name: client.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Certificate fingerprint using the SHA256 digest of DER-encoded
+        version of certificate offered by the client. For consistency with other hash
+        values, this value should be formatted as an uppercase hash.
+      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+      default_field: false
+    - name: client.issuer
+      level: extended
+      type: wildcard
+      description: Distinguished name of subject of the issuer of the x.509 certificate
+        presented by the client.
+      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+      default_field: false
+    - name: client.ja3
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A hash that identifies clients based on how they perform an SSL/TLS
+        handshake.
+      example: d4e5b18d6b55c71272893221c96ba240
+      default_field: false
+    - name: client.not_after
+      level: extended
+      type: date
+      description: Date/Time indicating when client certificate is no longer considered
+        valid.
+      example: '2021-01-01T00:00:00.000Z'
+      default_field: false
+    - name: client.not_before
+      level: extended
+      type: date
+      description: Date/Time indicating when client certificate is first considered
+        valid.
+      example: '1970-01-01T00:00:00.000Z'
+      default_field: false
+    - name: client.server_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Also called an SNI, this tells the server which hostname to which
+        the client is attempting to connect to. When this value is available, it should
+        get copied to `destination.domain`.
+      example: www.elastic.co
+      default_field: false
+    - name: client.subject
+      level: extended
+      type: wildcard
+      description: Distinguished name of subject of the x.509 certificate presented
+        by the client.
+      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+      default_field: false
+    - name: client.supported_ciphers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of ciphers offered by the client during the client hello.
+      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "..."]'
+      default_field: false
+    - name: client.x509.alternative_names
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: client.x509.issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: client.x509.issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) codes
+      example: US
+      default_field: false
+    - name: client.x509.issuer.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      default_field: false
+    - name: client.x509.issuer.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
+      default_field: false
+    - name: client.x509.issuer.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      default_field: false
+    - name: client.x509.issuer.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      default_field: false
+    - name: client.x509.issuer.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: client.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: client.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: client.x509.public_key_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Algorithm used to generate the public key.
+      example: RSA
+      default_field: false
+    - name: client.x509.public_key_curve
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      default_field: false
+    - name: client.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      default_field: false
+    - name: client.x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: client.x509.serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      default_field: false
+    - name: client.x509.signature_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      default_field: false
+    - name: client.x509.subject.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      default_field: false
+    - name: client.x509.subject.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) code
+      example: US
+      default_field: false
+    - name: client.x509.subject.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      default_field: false
+    - name: client.x509.subject.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
+      default_field: false
+    - name: client.x509.subject.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      default_field: false
+    - name: client.x509.subject.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of subject.
+      default_field: false
+    - name: client.x509.subject.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: client.x509.version_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
+      default_field: false
+    - name: curve
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: String indicating the curve used for the given cipher, when applicable.
+      example: secp256r1
+      default_field: false
+    - name: established
+      level: extended
+      type: boolean
+      description: Boolean flag indicating if the TLS negotiation was successful and
+        transitioned to an encrypted tunnel.
+      default_field: false
+    - name: next_protocol
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: String indicating the protocol being tunneled. Per the values in
+        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
+        this string should be lower case.
+      example: http/1.1
+      default_field: false
+    - name: resumed
+      level: extended
+      type: boolean
+      description: Boolean flag indicating if this TLS connection was resumed from
+        an existing TLS negotiation.
+      default_field: false
+    - name: server.certificate
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PEM-encoded stand-alone certificate offered by the server. This
+        is usually mutually-exclusive of `server.certificate_chain` since this value
+        also exists in that list.
+      example: MII...
+      default_field: false
+    - name: server.certificate_chain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of PEM-encoded certificates that make up the certificate
+        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
+        since that value should be the first certificate in the chain.
+      example: '["MII...", "MII..."]'
+      default_field: false
+    - name: server.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Certificate fingerprint using the MD5 digest of DER-encoded version
+        of certificate offered by the server. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      default_field: false
+    - name: server.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the server. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      default_field: false
+    - name: server.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Certificate fingerprint using the SHA256 digest of DER-encoded
+        version of certificate offered by the server. For consistency with other hash
+        values, this value should be formatted as an uppercase hash.
+      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+      default_field: false
+    - name: server.issuer
+      level: extended
+      type: wildcard
+      description: Subject of the issuer of the x.509 certificate presented by the
+        server.
+      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+      default_field: false
+    - name: server.ja3s
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A hash that identifies servers based on how they perform an SSL/TLS
+        handshake.
+      example: 394441ab65754e2207b1e1b457b3641d
+      default_field: false
+    - name: server.not_after
+      level: extended
+      type: date
+      description: Timestamp indicating when server certificate is no longer considered
+        valid.
+      example: '2021-01-01T00:00:00.000Z'
+      default_field: false
+    - name: server.not_before
+      level: extended
+      type: date
+      description: Timestamp indicating when server certificate is first considered
+        valid.
+      example: '1970-01-01T00:00:00.000Z'
+      default_field: false
+    - name: server.subject
+      level: extended
+      type: wildcard
+      description: Subject of the x.509 certificate presented by the server.
+      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+      default_field: false
+    - name: server.x509.alternative_names
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: server.x509.issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: server.x509.issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) codes
+      example: US
+      default_field: false
+    - name: server.x509.issuer.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      default_field: false
+    - name: server.x509.issuer.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
+      default_field: false
+    - name: server.x509.issuer.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      default_field: false
+    - name: server.x509.issuer.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      default_field: false
+    - name: server.x509.issuer.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: server.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: server.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: server.x509.public_key_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Algorithm used to generate the public key.
+      example: RSA
+      default_field: false
+    - name: server.x509.public_key_curve
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      default_field: false
+    - name: server.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      default_field: false
+    - name: server.x509.public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: server.x509.serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      default_field: false
+    - name: server.x509.signature_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      default_field: false
+    - name: server.x509.subject.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      default_field: false
+    - name: server.x509.subject.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) code
+      example: US
+      default_field: false
+    - name: server.x509.subject.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      default_field: false
+    - name: server.x509.subject.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
+      default_field: false
+    - name: server.x509.subject.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      default_field: false
+    - name: server.x509.subject.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of subject.
+      default_field: false
+    - name: server.x509.subject.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: server.x509.version_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
+      default_field: false
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Numeric part of the version parsed from the original string.
+      example: '1.2'
+      default_field: false
+    - name: version_protocol
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Normalized lowercase protocol name parsed from original string.
+      example: tls
+      default_field: false
+  - name: tracing
+    title: Tracing
+    group: 2
+    description: Distributed tracing makes it possible to analyze performance throughout
+      a microservice architecture all in one view. This is accomplished by tracing
+      all of the requests - from the initial web request in the front-end service
+      - to queries made through multiple back-end services.
+    type: group
+    fields:
+    - name: span.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the span within the scope of its trace.
+
+        A span represents an operation within a transaction, such as a request to
+        another service, or a database query.'
+      example: 3ff9a8981b7ccd5a
+      default_field: false
+    - name: trace.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the trace.
+
+        A trace groups multiple events like transactions that belong together. For
+        example, a user request handled by multiple inter-connected services.'
+      example: 4bf92f3577b34da6a3ce929d0e0e4736
+    - name: transaction.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the transaction within the scope of its trace.
+
+        A transaction is the highest level of work measured within a service, such
+        as a request to a server.'
+      example: 00f067aa0ba902b7
+  - name: url
+    title: URL
+    group: 2
+    description: URL fields provide support for complete or partial URLs, and supports
+      the breaking down into scheme, domain, path, and so on.
+    type: group
+    fields:
+    - name: domain
+      level: extended
+      type: wildcard
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.'
+      example: www.elastic.co
+    - name: extension
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The field contains the file extension from the original request
+        url.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".'
+      example: png
+    - name: fragment
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+    - name: full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+    - name: original
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+    - name: password
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Password of the request.
+    - name: path
+      level: extended
+      type: wildcard
+      description: Path of the request, such as "/search".
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
+    - name: query
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+    - name: registered_domain
+      level: extended
+      type: wildcard
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: scheme
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: username
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Username of the request.
+  - name: user
+    title: User
+    group: 2
+    description: 'The user fields describe information about the user that is relevant
+      to the event.
+
+      Fields can have one entry or multiple entries. If a user has more than one id,
+      provide an array that includes all of them.'
+    type: group
+    fields:
+    - name: changes.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.email
+      level: extended
+      type: wildcard
+      description: User email address.
+      default_field: false
+    - name: changes.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: changes.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: changes.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: changes.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: changes.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: changes.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: changes.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: effective.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.email
+      level: extended
+      type: wildcard
+      description: User email address.
+      default_field: false
+    - name: effective.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: effective.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: effective.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: effective.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: effective.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: effective.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: effective.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: email
+      level: extended
+      type: wildcard
+      description: User email address.
+    - name: full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+    - name: name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Short name or login of the user.
+      example: albert
+    - name: roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: target.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.email
+      level: extended
+      type: wildcard
+      description: User email address.
+      default_field: false
+    - name: target.full_name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: target.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: target.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: target.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: target.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: target.name
+      level: core
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: target.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: user_agent
+    title: User agent
+    group: 2
+    description: 'The user_agent fields normally come from a browser request.
+
+      They often show up in web service logs coming from the parsed user agent string.'
+    type: group
+    fields:
+    - name: device.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the device.
+      example: iPhone
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the user agent.
+      example: Safari
+    - name: original
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Unparsed user_agent string.
+      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+        default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the user agent.
+      example: 12.0
+  - name: vlan
+    title: VLAN
+    group: 2
+    description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
+      as well as ingress and egress VLAN associations of an observer in relation to
+      a specific packet or connection.
+
+      Network.vlan fields are used to record a single VLAN tag, or the outer tag in
+      the case of q-in-q encapsulations, for a packet or connection as observed, typically
+      provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
+
+      Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
+      802.1q encapsulations) as observed, typically provided by a network sensor  (e.g.
+      Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
+      only be used in addition to network.vlan fields to indicate q-in-q tagging.
+
+      Observer.ingress and observer.egress VLAN values are used to record observer
+      specific information when observer events contain discrete ingress and egress
+      VLAN information, typically provided by firewalls, routers, or load balancers.'
+    type: group
+    fields:
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: VLAN ID as reported by the observer.
+      example: 10
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      default_field: false
+  - name: vulnerability
+    title: Vulnerability
+    group: 2
+    description: The vulnerability fields describe information about a vulnerability
+      that is relevant to an event.
+    type: group
+    fields:
+    - name: category
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of system or architecture that the vulnerability affects.
+        These may be platform-specific (for example, Debian or SUSE) or general (for
+        example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
+        vulnerability categories])
+
+        This field must be an array.'
+      example: '["Firewall"]'
+      default_field: false
+    - name: classification
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The classification of the vulnerability scoring system. For example
+        (https://www.first.org/cvss/)
+      example: CVSS
+      default_field: false
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The description of the vulnerability that provides additional context
+        of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
+        Vulnerabilities and Exposure CVE description])
+      example: In macOS before 2.12.6, there is a vulnerability in the RPC...
+      default_field: false
+    - name: enumeration
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The type of identifier used for this vulnerability. For example
+        (https://cve.mitre.org/about/)
+      example: CVE
+      default_field: false
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The identification (ID) is the number portion of a vulnerability
+        entry. It includes a unique identification number for the vulnerability. For
+        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
+        and Exposure CVE ID]
+      example: CVE-2019-00001
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A resource that provides additional information, context, and mitigations
+        for the identified vulnerability.
+      example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
+      default_field: false
+    - name: report_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The report or scan identification number.
+      example: 20191018.0001
+      default_field: false
+    - name: scanner.vendor
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The name of the vulnerability scanner vendor.
+      example: Tenable
+      default_field: false
+    - name: score.base
+      level: extended
+      type: float
+      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+        Base scores cover an assessment for exploitability metrics (attack vector,
+        complexity, privileges, and user interaction), impact metrics (confidentiality,
+        integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
+      example: 5.5
+      default_field: false
+    - name: score.environmental
+      level: extended
+      type: float
+      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+        Environmental scores cover an assessment for any modified Base metrics, confidentiality,
+        integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
+      example: 5.5
+      default_field: false
+    - name: score.temporal
+      level: extended
+      type: float
+      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+        Temporal scores cover an assessment for code maturity, remediation level,
+        and confidence. For example (https://www.first.org/cvss/specification-document)'
+      default_field: false
+    - name: score.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The National Vulnerability Database (NVD) provides qualitative
+        severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score
+        ranges in addition to the severity ratings for CVSS v3.0 as they are defined
+        in the CVSS v3.0 specification.
+
+        CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
+        organization, whose mission is to help computer security incident response
+        teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
+      example: 2.0
+      default_field: false
+    - name: severity
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The severity of the vulnerability can help with metrics and internal
+        prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+      example: Critical
+      default_field: false
+  - name: x509
+    title: x509 Certificate
+    group: 2
+    description: This implements the common core fields for x509 certificates. This
+      information is likely logged with TLS sessions, digital signatures found in
+      executable binaries, S/MIME information in email bodies, or analysis of files
+      on disk. When only a single certificate is logged in an event, it should be
+      nested under `file`. When hashes of the DER-encoded certificate are available,
+      the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For
+      events that contain certificate information for both sides of the connection,
+      the x509 object could be nested under the respective side of the connection
+      information (e.g. `tls.server.x509`).
+    type: group
+    fields:
+    - name: alternative_names
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) codes
+      example: US
+      default_field: false
+    - name: issuer.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      default_field: false
+    - name: issuer.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
+      default_field: false
+    - name: issuer.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      default_field: false
+    - name: issuer.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      default_field: false
+    - name: issuer.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      default_field: false
+    - name: not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      default_field: false
+    - name: public_key_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Algorithm used to generate the public key.
+      example: RSA
+      default_field: false
+    - name: public_key_curve
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      default_field: false
+    - name: public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      default_field: false
+    - name: public_key_size
+      level: extended
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
+      default_field: false
+    - name: serial_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      default_field: false
+    - name: signature_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      default_field: false
+    - name: subject.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      default_field: false
+    - name: subject.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country (C) code
+      example: US
+      default_field: false
+    - name: subject.distinguished_name
+      level: extended
+      type: wildcard
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      default_field: false
+    - name: subject.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
+      default_field: false
+    - name: subject.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      default_field: false
+    - name: subject.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of subject.
+      default_field: false
+    - name: subject.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: version_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
+      default_field: false
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
new file mode 100644
index 0000000000..62979dd9b5
--- /dev/null
+++ b/experimental/generated/csv/fields.csv
@@ -0,0 +1,720 @@
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
+1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.7.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.7.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
+1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.7.0-dev,true,client,client.port,long,core,,,Port of the client.
+1.7.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.7.0-dev,true,container,container.labels,object,extended,,,Image labels.
+1.7.0-dev,true,container,container.name,keyword,extended,,,Container name.
+1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.7.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+1.7.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.7.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.7.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.7.0-dev,true,error,error.message,text,core,,,Error message.
+1.7.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.7.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.7.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.7.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,file,file.created,date,extended,,,File creation time.
+1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.7.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
+1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.7.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+1.7.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.7.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.7.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.7.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.7.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.7.0-dev,true,host,host.type,keyword,core,,,Type of host.
+1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.7.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.7.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.7.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.7.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.7.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.7.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.7.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.7.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
+1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name
+1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.7.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.7.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.7.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.7.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.7.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
+1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.7.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.7.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
+1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.7.0-dev,true,process,process.title,wildcard,extended,,,Process title.
+1.7.0-dev,true,process,process.title.text,text,extended,,,Process title.
+1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.7.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.7.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.7.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.7.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.7.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
+1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.7.0-dev,true,server,server.port,long,core,,,Port of the server.
+1.7.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.7.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.7.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
+1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.7.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.7.0-dev,true,source,source.port,long,core,,,Port of the source.
+1.7.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.7.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.7.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.7.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.7.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.7.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.7.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.7.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+1.7.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+1.7.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.7.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,user,user.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.7.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
+1.7.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.7.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.7.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.7.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.7.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.7.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.7.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.7.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.7.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.7.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
new file mode 100644
index 0000000000..5f27925261
--- /dev/null
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -0,0 +1,8956 @@
+'@timestamp':
+  dashed_name: -timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+agent.build.original:
+  dashed_name: agent-build-original
+  description: 'Extended build information for the agent.
+
+    This field is intended to contain any build information that a data source may
+    provide, no specific formatting is required.'
+  example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
+    built 2020-02-05 23:10:10 +0000 UTC]
+  flat_name: agent.build.original
+  level: core
+  name: build.original
+  normalize: []
+  short: Extended build information for the agent.
+  type: wildcard
+agent.ephemeral_id:
+  dashed_name: agent-ephemeral-id
+  description: 'Ephemeral identifier of this agent (if one exists).
+
+    This id normally changes across restarts, but `agent.id` does not.'
+  example: 8a4f500f
+  flat_name: agent.ephemeral_id
+  ignore_above: 1024
+  level: extended
+  name: ephemeral_id
+  normalize: []
+  short: Ephemeral identifier of this agent.
+  type: keyword
+agent.id:
+  dashed_name: agent-id
+  description: 'Unique identifier of this agent (if one exists).
+
+    Example: For Beats this would be beat.id.'
+  example: 8a4f500d
+  flat_name: agent.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier of this agent.
+  type: keyword
+agent.name:
+  dashed_name: agent-name
+  description: 'Custom name of the agent.
+
+    This is a name that can be given to an agent. This can be helpful if for example
+    two Filebeat instances are running on the same host but a human readable separation
+    is needed on which Filebeat instance data is coming from.
+
+    If no name is given, the name is often left empty.'
+  example: foo
+  flat_name: agent.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Custom name of the agent.
+  type: keyword
+agent.type:
+  dashed_name: agent-type
+  description: 'Type of the agent.
+
+    The agent type always stays the same and should be given by the agent used. In
+    case of Filebeat the agent would always be Filebeat also if two Filebeat instances
+    are run on the same machine.'
+  example: filebeat
+  flat_name: agent.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: Type of the agent.
+  type: keyword
+agent.version:
+  dashed_name: agent-version
+  description: Version of the agent.
+  example: 6.0.0-rc2
+  flat_name: agent.version
+  ignore_above: 1024
+  level: core
+  name: version
+  normalize: []
+  short: Version of the agent.
+  type: keyword
+client.address:
+  dashed_name: client-address
+  description: 'Some event client addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: client.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  short: Client network address.
+  type: keyword
+client.as.number:
+  dashed_name: client-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: client.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+client.as.organization.name:
+  dashed_name: client-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: client.as.organization.name
+  level: extended
+  multi_fields:
+  - flat_name: client.as.organization.name.text
+    name: text
+    norms: false
+    type: text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: wildcard
+client.bytes:
+  dashed_name: client-bytes
+  description: Bytes sent from the client to the server.
+  example: 184
+  flat_name: client.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  short: Bytes sent from the client to the server.
+  type: long
+client.domain:
+  dashed_name: client-domain
+  description: Client domain.
+  flat_name: client.domain
+  level: core
+  name: domain
+  normalize: []
+  short: Client domain.
+  type: wildcard
+client.geo.city_name:
+  dashed_name: client-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: client.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+client.geo.continent_name:
+  dashed_name: client-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: client.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+client.geo.country_iso_code:
+  dashed_name: client-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: client.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+client.geo.country_name:
+  dashed_name: client-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: client.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+client.geo.location:
+  dashed_name: client-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: client.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+client.geo.name:
+  dashed_name: client-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: client.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+client.geo.region_iso_code:
+  dashed_name: client-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: client.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+client.geo.region_name:
+  dashed_name: client-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: client.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+client.ip:
+  dashed_name: client-ip
+  description: IP address of the client (IPv4 or IPv6).
+  flat_name: client.ip
+  level: core
+  name: ip
+  normalize: []
+  short: IP address of the client.
+  type: ip
+client.mac:
+  dashed_name: client-mac
+  description: MAC address of the client.
+  flat_name: client.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  short: MAC address of the client.
+  type: keyword
+client.nat.ip:
+  dashed_name: client-nat-ip
+  description: 'Translated IP of source based NAT sessions (e.g. internal client to
+    internet).
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: client.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  short: Client NAT ip address
+  type: ip
+client.nat.port:
+  dashed_name: client-nat-port
+  description: 'Translated port of source based NAT sessions (e.g. internal client
+    to internet).
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: client.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  short: Client NAT port
+  type: long
+client.packets:
+  dashed_name: client-packets
+  description: Packets sent from the client to the server.
+  example: 12
+  flat_name: client.packets
+  level: core
+  name: packets
+  normalize: []
+  short: Packets sent from the client to the server.
+  type: long
+client.port:
+  dashed_name: client-port
+  description: Port of the client.
+  flat_name: client.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  short: Port of the client.
+  type: long
+client.registered_domain:
+  dashed_name: client-registered-domain
+  description: 'The highest registered client domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: client.registered_domain
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered client domain, stripped of the subdomain.
+  type: wildcard
+client.subdomain:
+  dashed_name: client-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: client.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+client.top_level_domain:
+  dashed_name: client-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: client.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+client.user.domain:
+  dashed_name: client-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: client.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+client.user.email:
+  dashed_name: client-user-email
+  description: User email address.
+  flat_name: client.user.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+client.user.full_name:
+  dashed_name: client-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: client.user.full_name
+  level: extended
+  multi_fields:
+  - flat_name: client.user.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+client.user.group.domain:
+  dashed_name: client-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: client.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+client.user.group.id:
+  dashed_name: client-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: client.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+client.user.group.name:
+  dashed_name: client-user-group-name
+  description: Name of the group.
+  flat_name: client.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+client.user.hash:
+  dashed_name: client-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: client.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+client.user.id:
+  dashed_name: client-user-id
+  description: Unique identifier of the user.
+  flat_name: client.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+client.user.name:
+  dashed_name: client-user-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: client.user.name
+  level: core
+  multi_fields:
+  - flat_name: client.user.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+client.user.roles:
+  dashed_name: client-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: client.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+cloud.account.id:
+  dashed_name: cloud-account-id
+  description: 'The cloud account or organization id used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+  example: 666777888999
+  flat_name: cloud.account.id
+  ignore_above: 1024
+  level: extended
+  name: account.id
+  normalize: []
+  short: The cloud account or organization id.
+  type: keyword
+cloud.account.name:
+  dashed_name: cloud-account-name
+  description: 'The cloud account name or alias used to identify different entities
+    in a multi-tenant environment.
+
+    Examples: AWS account name, Google Cloud ORG display name.'
+  example: elastic-dev
+  flat_name: cloud.account.name
+  ignore_above: 1024
+  level: extended
+  name: account.name
+  normalize: []
+  short: The cloud account name.
+  type: keyword
+cloud.availability_zone:
+  dashed_name: cloud-availability-zone
+  description: Availability zone in which this host is running.
+  example: us-east-1c
+  flat_name: cloud.availability_zone
+  ignore_above: 1024
+  level: extended
+  name: availability_zone
+  normalize: []
+  short: Availability zone in which this host is running.
+  type: keyword
+cloud.instance.id:
+  dashed_name: cloud-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.instance.id
+  ignore_above: 1024
+  level: extended
+  name: instance.id
+  normalize: []
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.instance.name:
+  dashed_name: cloud-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.instance.name
+  ignore_above: 1024
+  level: extended
+  name: instance.name
+  normalize: []
+  short: Instance name of the host machine.
+  type: keyword
+cloud.machine.type:
+  dashed_name: cloud-machine-type
+  description: Machine type of the host machine.
+  example: t2.medium
+  flat_name: cloud.machine.type
+  ignore_above: 1024
+  level: extended
+  name: machine.type
+  normalize: []
+  short: Machine type of the host machine.
+  type: keyword
+cloud.project.id:
+  dashed_name: cloud-project-id
+  description: 'The cloud project identifier.
+
+    Examples: Google Cloud Project id, Azure Project id.'
+  example: my-project
+  flat_name: cloud.project.id
+  ignore_above: 1024
+  level: extended
+  name: project.id
+  normalize: []
+  short: The cloud project id.
+  type: keyword
+cloud.project.name:
+  dashed_name: cloud-project-name
+  description: 'The cloud project name.
+
+    Examples: Google Cloud Project name, Azure Project name.'
+  example: my project
+  flat_name: cloud.project.name
+  ignore_above: 1024
+  level: extended
+  name: project.name
+  normalize: []
+  short: The cloud project name.
+  type: keyword
+cloud.provider:
+  dashed_name: cloud-provider
+  description: Name of the cloud provider. Example values are aws, azure, gcp, or
+    digitalocean.
+  example: aws
+  flat_name: cloud.provider
+  ignore_above: 1024
+  level: extended
+  name: provider
+  normalize: []
+  short: Name of the cloud provider.
+  type: keyword
+cloud.region:
+  dashed_name: cloud-region
+  description: Region in which this host is running.
+  example: us-east-1
+  flat_name: cloud.region
+  ignore_above: 1024
+  level: extended
+  name: region
+  normalize: []
+  short: Region in which this host is running.
+  type: keyword
+container.id:
+  dashed_name: container-id
+  description: Unique container id.
+  flat_name: container.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique container id.
+  type: keyword
+container.image.name:
+  dashed_name: container-image-name
+  description: Name of the image the container was built on.
+  flat_name: container.image.name
+  ignore_above: 1024
+  level: extended
+  name: image.name
+  normalize: []
+  short: Name of the image the container was built on.
+  type: keyword
+container.image.tag:
+  dashed_name: container-image-tag
+  description: Container image tags.
+  flat_name: container.image.tag
+  ignore_above: 1024
+  level: extended
+  name: image.tag
+  normalize:
+  - array
+  short: Container image tags.
+  type: keyword
+container.labels:
+  dashed_name: container-labels
+  description: Image labels.
+  flat_name: container.labels
+  level: extended
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Image labels.
+  type: object
+container.name:
+  dashed_name: container-name
+  description: Container name.
+  flat_name: container.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Container name.
+  type: keyword
+container.runtime:
+  dashed_name: container-runtime
+  description: Runtime managing this container.
+  example: docker
+  flat_name: container.runtime
+  ignore_above: 1024
+  level: extended
+  name: runtime
+  normalize: []
+  short: Runtime managing this container.
+  type: keyword
+destination.address:
+  dashed_name: destination-address
+  description: 'Some event destination addresses are defined ambiguously. The event
+    will sometimes list an IP, a domain or a unix socket.  You should always store
+    the raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: destination.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  short: Destination network address.
+  type: keyword
+destination.as.number:
+  dashed_name: destination-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: destination.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+destination.as.organization.name:
+  dashed_name: destination-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: destination.as.organization.name
+  level: extended
+  multi_fields:
+  - flat_name: destination.as.organization.name.text
+    name: text
+    norms: false
+    type: text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: wildcard
+destination.bytes:
+  dashed_name: destination-bytes
+  description: Bytes sent from the destination to the source.
+  example: 184
+  flat_name: destination.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  short: Bytes sent from the destination to the source.
+  type: long
+destination.domain:
+  dashed_name: destination-domain
+  description: Destination domain.
+  flat_name: destination.domain
+  level: core
+  name: domain
+  normalize: []
+  short: Destination domain.
+  type: wildcard
+destination.geo.city_name:
+  dashed_name: destination-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: destination.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+destination.geo.continent_name:
+  dashed_name: destination-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: destination.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+destination.geo.country_iso_code:
+  dashed_name: destination-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: destination.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+destination.geo.country_name:
+  dashed_name: destination-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: destination.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+destination.geo.location:
+  dashed_name: destination-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: destination.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+destination.geo.name:
+  dashed_name: destination-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: destination.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+destination.geo.region_iso_code:
+  dashed_name: destination-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: destination.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+destination.geo.region_name:
+  dashed_name: destination-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: destination.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+destination.ip:
+  dashed_name: destination-ip
+  description: IP address of the destination (IPv4 or IPv6).
+  flat_name: destination.ip
+  level: core
+  name: ip
+  normalize: []
+  short: IP address of the destination.
+  type: ip
+destination.mac:
+  dashed_name: destination-mac
+  description: MAC address of the destination.
+  flat_name: destination.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  short: MAC address of the destination.
+  type: keyword
+destination.nat.ip:
+  dashed_name: destination-nat-ip
+  description: 'Translated ip of destination based NAT sessions (e.g. internet to
+    private DMZ)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: destination.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  short: Destination NAT ip
+  type: ip
+destination.nat.port:
+  dashed_name: destination-nat-port
+  description: 'Port the source session is translated to by NAT Device.
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: destination.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  short: Destination NAT Port
+  type: long
+destination.packets:
+  dashed_name: destination-packets
+  description: Packets sent from the destination to the source.
+  example: 12
+  flat_name: destination.packets
+  level: core
+  name: packets
+  normalize: []
+  short: Packets sent from the destination to the source.
+  type: long
+destination.port:
+  dashed_name: destination-port
+  description: Port of the destination.
+  flat_name: destination.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  short: Port of the destination.
+  type: long
+destination.registered_domain:
+  dashed_name: destination-registered-domain
+  description: 'The highest registered destination domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: destination.registered_domain
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered destination domain, stripped of the subdomain.
+  type: wildcard
+destination.subdomain:
+  dashed_name: destination-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: destination.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+destination.top_level_domain:
+  dashed_name: destination-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: destination.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+destination.user.domain:
+  dashed_name: destination-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: destination.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+destination.user.email:
+  dashed_name: destination-user-email
+  description: User email address.
+  flat_name: destination.user.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+destination.user.full_name:
+  dashed_name: destination-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: destination.user.full_name
+  level: extended
+  multi_fields:
+  - flat_name: destination.user.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+destination.user.group.domain:
+  dashed_name: destination-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: destination.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+destination.user.group.id:
+  dashed_name: destination-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: destination.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+destination.user.group.name:
+  dashed_name: destination-user-group-name
+  description: Name of the group.
+  flat_name: destination.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+destination.user.hash:
+  dashed_name: destination-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: destination.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+destination.user.id:
+  dashed_name: destination-user-id
+  description: Unique identifier of the user.
+  flat_name: destination.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+destination.user.name:
+  dashed_name: destination-user-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: destination.user.name
+  level: core
+  multi_fields:
+  - flat_name: destination.user.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+destination.user.roles:
+  dashed_name: destination-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: destination.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+dll.code_signature.exists:
+  dashed_name: dll-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: dll.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+dll.code_signature.status:
+  dashed_name: dll-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: dll.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+dll.code_signature.subject_name:
+  dashed_name: dll-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: dll.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+dll.code_signature.trusted:
+  dashed_name: dll-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: dll.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+dll.code_signature.valid:
+  dashed_name: dll-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: dll.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+dll.hash.md5:
+  dashed_name: dll-hash-md5
+  description: MD5 hash.
+  flat_name: dll.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+dll.hash.sha1:
+  dashed_name: dll-hash-sha1
+  description: SHA1 hash.
+  flat_name: dll.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+dll.hash.sha256:
+  dashed_name: dll-hash-sha256
+  description: SHA256 hash.
+  flat_name: dll.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+dll.hash.sha512:
+  dashed_name: dll-hash-sha512
+  description: SHA512 hash.
+  flat_name: dll.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+dll.name:
+  dashed_name: dll-name
+  description: 'Name of the library.
+
+    This generally maps to the name of the file on disk.'
+  example: kernel32.dll
+  flat_name: dll.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the library.
+  type: keyword
+dll.path:
+  dashed_name: dll-path
+  description: Full file path of the library.
+  example: C:\Windows\System32\kernel32.dll
+  flat_name: dll.path
+  ignore_above: 1024
+  level: extended
+  name: path
+  normalize: []
+  short: Full file path of the library.
+  type: keyword
+dll.pe.architecture:
+  dashed_name: dll-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: dll.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+dll.pe.company:
+  dashed_name: dll-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: dll.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+dll.pe.description:
+  dashed_name: dll-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: dll.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+dll.pe.file_version:
+  dashed_name: dll-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: dll.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+dll.pe.imphash:
+  dashed_name: dll-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: dll.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+dll.pe.original_file_name:
+  dashed_name: dll-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: dll.pe.original_file_name
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: wildcard
+dll.pe.product:
+  dashed_name: dll-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: dll.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+dns.answers.class:
+  dashed_name: dns-answers-class
+  description: The class of DNS data contained in this resource record.
+  example: IN
+  flat_name: dns.answers.class
+  ignore_above: 1024
+  level: extended
+  name: answers.class
+  normalize: []
+  short: The class of DNS data contained in this resource record.
+  type: keyword
+dns.answers.data:
+  dashed_name: dns-answers-data
+  description: 'The data describing the resource.
+
+    The meaning of this data depends on the type and class of the resource record.'
+  example: 10.10.10.10
+  flat_name: dns.answers.data
+  level: extended
+  name: answers.data
+  normalize: []
+  short: The data describing the resource.
+  type: wildcard
+dns.answers.name:
+  dashed_name: dns-answers-name
+  description: 'The domain name to which this resource record pertains.
+
+    If a chain of CNAME is being resolved, each answer''s `name` should be the one
+    that corresponds with the answer''s `data`. It should not simply be the original
+    `question.name` repeated.'
+  example: www.example.com
+  flat_name: dns.answers.name
+  ignore_above: 1024
+  level: extended
+  name: answers.name
+  normalize: []
+  short: The domain name to which this resource record pertains.
+  type: keyword
+dns.answers.ttl:
+  dashed_name: dns-answers-ttl
+  description: The time interval in seconds that this resource record may be cached
+    before it should be discarded. Zero values mean that the data should not be cached.
+  example: 180
+  flat_name: dns.answers.ttl
+  level: extended
+  name: answers.ttl
+  normalize: []
+  short: The time interval in seconds that this resource record may be cached before
+    it should be discarded.
+  type: long
+dns.answers.type:
+  dashed_name: dns-answers-type
+  description: The type of data contained in this resource record.
+  example: CNAME
+  flat_name: dns.answers.type
+  ignore_above: 1024
+  level: extended
+  name: answers.type
+  normalize: []
+  short: The type of data contained in this resource record.
+  type: keyword
+dns.header_flags:
+  dashed_name: dns-header-flags
+  description: 'Array of 2 letter DNS header flags.
+
+    Expected values are: AA, TC, RD, RA, AD, CD, DO.'
+  example: '["RD", "RA"]'
+  flat_name: dns.header_flags
+  ignore_above: 1024
+  level: extended
+  name: header_flags
+  normalize:
+  - array
+  short: Array of DNS header flags.
+  type: keyword
+dns.id:
+  dashed_name: dns-id
+  description: The DNS packet identifier assigned by the program that generated the
+    query. The identifier is copied to the response.
+  example: 62111
+  flat_name: dns.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: The DNS packet identifier assigned by the program that generated the query.
+    The identifier is copied to the response.
+  type: keyword
+dns.op_code:
+  dashed_name: dns-op-code
+  description: The DNS operation code that specifies the kind of query in the message.
+    This value is set by the originator of a query and copied into the response.
+  example: QUERY
+  flat_name: dns.op_code
+  ignore_above: 1024
+  level: extended
+  name: op_code
+  normalize: []
+  short: The DNS operation code that specifies the kind of query in the message.
+  type: keyword
+dns.question.class:
+  dashed_name: dns-question-class
+  description: The class of records being queried.
+  example: IN
+  flat_name: dns.question.class
+  ignore_above: 1024
+  level: extended
+  name: question.class
+  normalize: []
+  short: The class of records being queried.
+  type: keyword
+dns.question.name:
+  dashed_name: dns-question-name
+  description: 'The name being queried.
+
+    If the name field contains non-printable characters (below 32 or above 126), those
+    characters should be represented as escaped base 10 integers (\DDD). Back slashes
+    and quotes should be escaped. Tabs, carriage returns, and line feeds should be
+    converted to \t, \r, and \n respectively.'
+  example: www.example.com
+  flat_name: dns.question.name
+  level: extended
+  name: question.name
+  normalize: []
+  short: The name being queried.
+  type: wildcard
+dns.question.registered_domain:
+  dashed_name: dns-question-registered-domain
+  description: 'The highest registered domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: dns.question.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: question.registered_domain
+  normalize: []
+  short: The highest registered domain, stripped of the subdomain.
+  type: keyword
+dns.question.subdomain:
+  dashed_name: dns-question-subdomain
+  description: 'The subdomain is all of the labels under the registered_domain.
+
+    If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+    the subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: www
+  flat_name: dns.question.subdomain
+  ignore_above: 1024
+  level: extended
+  name: question.subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+dns.question.top_level_domain:
+  dashed_name: dns-question-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: dns.question.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: question.top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+dns.question.type:
+  dashed_name: dns-question-type
+  description: The type of record being queried.
+  example: AAAA
+  flat_name: dns.question.type
+  ignore_above: 1024
+  level: extended
+  name: question.type
+  normalize: []
+  short: The type of record being queried.
+  type: keyword
+dns.resolved_ip:
+  dashed_name: dns-resolved-ip
+  description: 'Array containing all IPs seen in `answers.data`.
+
+    The `answers` array can be difficult to use, because of the variety of data formats
+    it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
+    makes it possible to index them as IP addresses, and makes them easier to visualize
+    and query for.'
+  example: '["10.10.10.10", "10.10.10.11"]'
+  flat_name: dns.resolved_ip
+  level: extended
+  name: resolved_ip
+  normalize:
+  - array
+  short: Array containing all IPs seen in answers.data
+  type: ip
+dns.response_code:
+  dashed_name: dns-response-code
+  description: The DNS response code.
+  example: NOERROR
+  flat_name: dns.response_code
+  ignore_above: 1024
+  level: extended
+  name: response_code
+  normalize: []
+  short: The DNS response code.
+  type: keyword
+dns.type:
+  dashed_name: dns-type
+  description: 'The type of DNS event captured, query or answer.
+
+    If your source of DNS events only gives you DNS queries, you should only create
+    dns events of type `dns.type:query`.
+
+    If your source of DNS events gives you answers as well, you should create one
+    event per query (optionally as soon as the query is seen). And a second event
+    containing all query details as well as an array of answers.'
+  example: answer
+  flat_name: dns.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  short: The type of DNS event captured, query or answer.
+  type: keyword
+ecs.version:
+  dashed_name: ecs-version
+  description: 'ECS version this event conforms to. `ecs.version` is a required field
+    and must exist in all events.
+
+    When querying across multiple indices -- which may conform to slightly different
+    ECS versions -- this field lets integrations adjust to the schema version of the
+    events.'
+  example: 1.0.0
+  flat_name: ecs.version
+  ignore_above: 1024
+  level: core
+  name: version
+  normalize: []
+  required: true
+  short: ECS version this event conforms to.
+  type: keyword
+error.code:
+  dashed_name: error-code
+  description: Error code describing the error.
+  flat_name: error.code
+  ignore_above: 1024
+  level: core
+  name: code
+  normalize: []
+  short: Error code describing the error.
+  type: keyword
+error.id:
+  dashed_name: error-id
+  description: Unique identifier for the error.
+  flat_name: error.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier for the error.
+  type: keyword
+error.message:
+  dashed_name: error-message
+  description: Error message.
+  flat_name: error.message
+  level: core
+  name: message
+  normalize: []
+  norms: false
+  short: Error message.
+  type: text
+error.stack_trace:
+  dashed_name: error-stack-trace
+  description: The stack trace of this error in plain text.
+  flat_name: error.stack_trace
+  index: true
+  level: extended
+  multi_fields:
+  - flat_name: error.stack_trace.text
+    name: text
+    norms: false
+    type: text
+  name: stack_trace
+  normalize: []
+  short: The stack trace of this error in plain text.
+  type: wildcard
+error.type:
+  dashed_name: error-type
+  description: The type of the error, for example the class name of the exception.
+  example: java.lang.NullPointerException
+  flat_name: error.type
+  level: extended
+  name: type
+  normalize: []
+  short: The type of the error, for example the class name of the exception.
+  type: wildcard
+event.action:
+  dashed_name: event-action
+  description: 'The action captured by the event.
+
+    This describes the information in the event. It is more specific than `event.category`.
+    Examples are `group-add`, `process-started`, `file-created`. The value is normally
+    defined by the implementer.'
+  example: user-password-change
+  flat_name: event.action
+  ignore_above: 1024
+  level: core
+  name: action
+  normalize: []
+  short: The action captured by the event.
+  type: keyword
+event.category:
+  allowed_values:
+  - description: Events in this category are related to the challenge and response
+      process in which credentials are supplied and verified to allow the creation
+      of a session. Common sources for these logs are Windows event logs and ssh logs.
+      Visualize and analyze events in this category to look for failed logins, and
+      other authentication-related activity.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: authentication
+  - description: 'Events in the configuration category have to deal with creating,
+      modifying, or deleting the settings or parameters of an application, process,
+      or system.
+
+      Example sources include security policy change logs, configuration auditing
+      logging, and system integrity monitoring.'
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    - info
+    name: configuration
+  - description: The database category denotes events and metrics relating to a data
+      storage and retrieval system. Note that use of this category is not limited
+      to relational database systems. Examples include event logs from MS SQL, MySQL,
+      Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database
+      activity such as accesses and changes.
+    expected_event_types:
+    - access
+    - change
+    - info
+    - error
+    name: database
+  - description: 'Events in the driver category have to do with operating system device
+      drivers and similar software entities such as Windows drivers, kernel extensions,
+      kernel modules, etc.
+
+      Use events and metrics in this category to visualize and analyze driver-related
+      activity and status on hosts.'
+    expected_event_types:
+    - change
+    - end
+    - info
+    - start
+    name: driver
+  - description: Relating to a set of information that has been created on, or has
+      existed on a filesystem. Use this category of events to visualize and analyze
+      the creation, access, and deletions of files. Events in this category can come
+      from both host-based and network-based sources. An example source of a network-based
+      detection of a file transfer would be the Zeek file.log.
+    expected_event_types:
+    - change
+    - creation
+    - deletion
+    - info
+    name: file
+  - description: 'Use this category to visualize and analyze information such as host
+      inventory or host lifecycle events.
+
+      Most of the events in this category can usually be observed from the outside,
+      such as from a hypervisor or a control plane''s point of view. Some can also
+      be seen from within, such as "start" or "end".
+
+      Note that this category is for information about hosts themselves; it is not
+      meant to capture activity "happening on a host".'
+    expected_event_types:
+    - access
+    - change
+    - end
+    - info
+    - start
+    name: host
+  - description: Identity and access management (IAM) events relating to users, groups,
+      and administration. Use this category to visualize and analyze IAM-related logs
+      and data from active directory, LDAP, Okta, Duo, and other IAM systems.
+    expected_event_types:
+    - admin
+    - change
+    - creation
+    - deletion
+    - group
+    - info
+    - user
+    name: iam
+  - description: Relating to intrusion detections from IDS/IPS systems and functions,
+      both network and host-based. Use this category to visualize and analyze intrusion
+      detection alerts from systems such as Snort, Suricata, and Palo Alto threat
+      detections.
+    expected_event_types:
+    - allowed
+    - denied
+    - info
+    name: intrusion_detection
+  - description: Malware detection events and alerts. Use this category to visualize
+      and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
+      Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems
+      such as Suricata, or other sources of malware-related events such as Palo Alto
+      Networks threat logs and Wildfire logs.
+    expected_event_types:
+    - info
+    name: malware
+  - description: Relating to all network activity, including network connection lifecycle,
+      network traffic, and essentially any event that includes an IP address. Many
+      events containing decoded network protocol transactions fit into this category.
+      Use events in this category to visualize or analyze counts of network ports,
+      protocols, addresses, geolocation information, etc.
+    expected_event_types:
+    - access
+    - allowed
+    - connection
+    - denied
+    - end
+    - info
+    - protocol
+    - start
+    name: network
+  - description: Relating to software packages installed on hosts. Use this category
+      to visualize and analyze inventory of software installed on various hosts, or
+      to determine host vulnerability in the absence of vulnerability scan data.
+    expected_event_types:
+    - access
+    - change
+    - deletion
+    - info
+    - installation
+    - start
+    name: package
+  - description: Use this category of events to visualize and analyze process-specific
+      information such as lifecycle events or process ancestry.
+    expected_event_types:
+    - access
+    - change
+    - end
+    - info
+    - start
+    name: process
+  - description: 'Relating to web server access. Use this category to create a dashboard
+      of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
+      events from network observers such as Zeek http log may also be included in
+      this category.'
+    expected_event_types:
+    - access
+    - error
+    - info
+    name: web
+  dashed_name: event-category
+  description: 'This is one of four ECS Categorization Fields, and indicates the second
+    level in the ECS category hierarchy.
+
+    `event.category` represents the "big buckets" of ECS categories. For example,
+    filtering on `event.category:process` yields all events relating to process activity.
+    This field is closely related to `event.type`, which is used as a subcategory.
+
+    This field is an array. This will allow proper categorization of some events that
+    fall in multiple categories.'
+  example: authentication
+  flat_name: event.category
+  ignore_above: 1024
+  level: core
+  name: category
+  normalize:
+  - array
+  short: Event category. The second categorization field in the hierarchy.
+  type: keyword
+event.code:
+  dashed_name: event-code
+  description: 'Identification code for this event, if one exists.
+
+    Some event sources use event codes to identify messages unambiguously, regardless
+    of message language or wording adjustments over time. An example of this is the
+    Windows Event ID.'
+  example: 4648
+  flat_name: event.code
+  ignore_above: 1024
+  level: extended
+  name: code
+  normalize: []
+  short: Identification code for this event.
+  type: keyword
+event.created:
+  dashed_name: event-created
+  description: 'event.created contains the date/time when the event was first read
+    by an agent, or by your pipeline.
+
+    This field is distinct from @timestamp in that @timestamp typically contain the
+    time extracted from the original event.
+
+    In most situations, these two timestamps will be slightly different. The difference
+    can be used to calculate the delay between your source generating an event, and
+    the time when your agent first processed it. This can be used to monitor your
+    agent''s or pipeline''s ability to keep up with your event source.
+
+    In case the two timestamps are identical, @timestamp should be used.'
+  example: '2016-05-23T08:05:34.857Z'
+  flat_name: event.created
+  level: core
+  name: created
+  normalize: []
+  short: Time when the event was first read by an agent or by your pipeline.
+  type: date
+event.dataset:
+  dashed_name: event-dataset
+  description: 'Name of the dataset.
+
+    If an event source publishes more than one type of log or events (e.g. access
+    log, error log), the dataset is used to specify which one the event comes from.
+
+    It''s recommended but not required to start the dataset name with the module name,
+    followed by a dot, then the dataset name.'
+  example: apache.access
+  flat_name: event.dataset
+  ignore_above: 1024
+  level: core
+  name: dataset
+  normalize: []
+  short: Name of the dataset.
+  type: keyword
+event.duration:
+  dashed_name: event-duration
+  description: 'Duration of the event in nanoseconds.
+
+    If event.start and event.end are known this value should be the difference between
+    the end and start time.'
+  flat_name: event.duration
+  format: duration
+  input_format: nanoseconds
+  level: core
+  name: duration
+  normalize: []
+  output_format: asMilliseconds
+  output_precision: 1
+  short: Duration of the event in nanoseconds.
+  type: long
+event.end:
+  dashed_name: event-end
+  description: event.end contains the date when the event ended or when the activity
+    was last observed.
+  flat_name: event.end
+  level: extended
+  name: end
+  normalize: []
+  short: event.end contains the date when the event ended or when the activity was
+    last observed.
+  type: date
+event.hash:
+  dashed_name: event-hash
+  description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate
+    log integrity.
+  example: 123456789012345678901234567890ABCD
+  flat_name: event.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate
+    log integrity.
+  type: keyword
+event.id:
+  dashed_name: event-id
+  description: Unique ID to describe the event.
+  example: 8a4f500d
+  flat_name: event.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique ID to describe the event.
+  type: keyword
+event.ingested:
+  dashed_name: event-ingested
+  description: 'Timestamp when an event arrived in the central data store.
+
+    This is different from `@timestamp`, which is when the event originally occurred.  It''s
+    also different from `event.created`, which is meant to capture the first time
+    an agent saw the event.
+
+    In normal conditions, assuming no tampering, the timestamps should chronologically
+    look like this: `@timestamp` < `event.created` < `event.ingested`.'
+  example: '2016-05-23T08:05:35.101Z'
+  flat_name: event.ingested
+  level: core
+  name: ingested
+  normalize: []
+  short: Timestamp when an event arrived in the central data store.
+  type: date
+event.kind:
+  allowed_values:
+  - description: 'This value indicates an event that describes an alert or notable
+      event, triggered by a detection rule.
+
+      `event.kind:alert` is often populated for events coming from firewalls, intrusion
+      detection systems, endpoint detection and response systems, and so on.'
+    name: alert
+  - description: This value is the most general and most common value for this field.
+      It is used to represent events that indicate that something happened.
+    name: event
+  - description: 'This value is used to indicate that this event describes a numeric
+      measurement taken at given point in time.
+
+      Examples include CPU utilization, memory usage, or device temperature.
+
+      Metric events are often collected on a predictable frequency, such as once every
+      few seconds, or once a minute, but can also be used to describe ad-hoc numeric
+      metric queries.'
+    name: metric
+  - description: 'The state value is similar to metric, indicating that this event
+      describes a measurement taken at given point in time, except that the measurement
+      does not result in a numeric value, but rather one of a fixed set of categorical
+      values that represent conditions or states.
+
+      Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red),
+      the state of a TCP connection (open, closed, fin_wait, etc.), the state of a
+      host with respect to a software vulnerability (vulnerable, not vulnerable),
+      and the state of a system regarding compliance with a regulatory standard (compliant,
+      not compliant).
+
+      Note that an event that describes a change of state would not use `event.kind:state`,
+      but instead would use ''event.kind:event'' since a state change fits the more
+      general event definition of something that happened.
+
+      State events are often collected on a predictable frequency, such as once every
+      few seconds, once a minute, once an hour, or once a day, but can also be used
+      to describe ad-hoc state queries.'
+    name: state
+  - description: This value indicates that an error occurred during the ingestion
+      of this event, and that event data may be missing, inconsistent, or incorrect.
+      `event.kind:pipeline_error` is often associated with parsing errors.
+    name: pipeline_error
+  - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch
+      document that was created by a SIEM detection engine rule.
+
+      A signal will typically trigger a notification that something meaningful happened
+      and should be investigated.
+
+      Usage of this value is reserved, and pipelines should not populate `event.kind`
+      with the value "signal".'
+    name: signal
+  dashed_name: event-kind
+  description: 'This is one of four ECS Categorization Fields, and indicates the highest
+    level in the ECS category hierarchy.
+
+    `event.kind` gives high-level information about what type of information the event
+    contains, without being specific to the contents of the event. For example, values
+    of this field distinguish alert events from metric events.
+
+    The value of this field can be used to inform how these kinds of events should
+    be handled. They may warrant different retention, different access control, it
+    may also help understand whether the data coming in at a regular interval or not.'
+  example: alert
+  flat_name: event.kind
+  ignore_above: 1024
+  level: core
+  name: kind
+  normalize: []
+  short: The kind of the event. The highest categorization field in the hierarchy.
+  type: keyword
+event.module:
+  dashed_name: event-module
+  description: 'Name of the module this data is coming from.
+
+    If your monitoring agent supports the concept of modules or plugins to process
+    events of a given source (e.g. Apache logs), `event.module` should contain the
+    name of this module.'
+  example: apache
+  flat_name: event.module
+  ignore_above: 1024
+  level: core
+  name: module
+  normalize: []
+  short: Name of the module this data is coming from.
+  type: keyword
+event.original:
+  dashed_name: event-original
+  description: 'Raw text message of entire event. Used to demonstrate log integrity.
+
+    This field is not indexed and doc_values are disabled. It cannot be searched,
+    but it can be retrieved from `_source`.'
+  doc_values: false
+  example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
+    worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
+  flat_name: event.original
+  index: false
+  level: core
+  name: original
+  normalize: []
+  short: Raw text message of entire event.
+  type: wildcard
+event.outcome:
+  allowed_values:
+  - description: Indicates that this event describes a failed result. A common example
+      is `event.category:file AND event.type:access AND event.outcome:failure` to
+      indicate that a file access was attempted, but was not successful.
+    name: failure
+  - description: Indicates that this event describes a successful result. A common
+      example is `event.category:file AND event.type:create AND event.outcome:success`
+      to indicate that a file was successfully created.
+    name: success
+  - description: Indicates that this event describes only an attempt for which the
+      result is unknown from the perspective of the event producer. For example, if
+      the event contains information only about the request side of a transaction
+      that results in a response, populating `event.outcome:unknown` in the request
+      event is appropriate. The unknown value should not be used when an outcome doesn't
+      make logical sense for the event. In such cases `event.outcome` should not be
+      populated.
+    name: unknown
+  dashed_name: event-outcome
+  description: 'This is one of four ECS Categorization Fields, and indicates the lowest
+    level in the ECS category hierarchy.
+
+    `event.outcome` simply denotes whether the event represents a success or a failure
+    from the perspective of the entity that produced the event.
+
+    Note that when a single transaction is described in multiple events, each event
+    may populate different values of `event.outcome`, according to their perspective.
+
+    Also note that in the case of a compound event (a single event that contains multiple
+    logical events), this field should be populated with the value that best captures
+    the overall success or failure from the perspective of the event producer.
+
+    Further note that not all events will have an associated outcome. For example,
+    this field is generally not populated for metric events, events with `event.type:info`,
+    or any events for which an outcome does not make logical sense.'
+  example: success
+  flat_name: event.outcome
+  ignore_above: 1024
+  level: core
+  name: outcome
+  normalize: []
+  short: The outcome of the event. The lowest level categorization field in the hierarchy.
+  type: keyword
+event.provider:
+  dashed_name: event-provider
+  description: 'Source of the event.
+
+    Event transports such as Syslog or the Windows Event Log typically mention the
+    source of an event. It can be the name of the software that generated the event
+    (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).'
+  example: kernel
+  flat_name: event.provider
+  ignore_above: 1024
+  level: extended
+  name: provider
+  normalize: []
+  short: Source of the event.
+  type: keyword
+event.reason:
+  dashed_name: event-reason
+  description: 'Reason why this event happened, according to the source.
+
+    This describes the why of a particular action or outcome captured in the event.
+    Where `event.action` captures the action from the event, `event.reason` describes
+    why that action was taken. For example, a web proxy with an `event.action` which
+    denied the request may also populate `event.reason` with the reason why (e.g.
+    `blocked site`).'
+  example: Terminated an unexpected process
+  flat_name: event.reason
+  ignore_above: 1024
+  level: extended
+  name: reason
+  normalize: []
+  short: Reason why this event happened, according to the source
+  type: keyword
+event.reference:
+  dashed_name: event-reference
+  description: 'Reference URL linking to additional information about this event.
+
+    This URL links to a static definition of the this event. Alert events, indicated
+    by `event.kind:alert`, are a common use case for this field.'
+  example: https://system.example.com/event/#0001234
+  flat_name: event.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: Event reference URL
+  type: keyword
+event.risk_score:
+  dashed_name: event-risk-score
+  description: Risk score or priority of the event (e.g. security solutions). Use
+    your system's original value here.
+  flat_name: event.risk_score
+  level: core
+  name: risk_score
+  normalize: []
+  short: Risk score or priority of the event (e.g. security solutions). Use your system's
+    original value here.
+  type: float
+event.risk_score_norm:
+  dashed_name: event-risk-score-norm
+  description: 'Normalized risk score or priority of the event, on a scale of 0 to
+    100.
+
+    This is mainly useful if you use more than one system that assigns risk scores,
+    and you want to see a normalized value across all systems.'
+  flat_name: event.risk_score_norm
+  level: extended
+  name: risk_score_norm
+  normalize: []
+  short: Normalized risk score or priority of the event (0-100).
+  type: float
+event.sequence:
+  dashed_name: event-sequence
+  description: 'Sequence number of the event.
+
+    The sequence number is a value published by some event sources, to make the exact
+    ordering of events unambiguous, regardless of the timestamp precision.'
+  flat_name: event.sequence
+  format: string
+  level: extended
+  name: sequence
+  normalize: []
+  short: Sequence number of the event.
+  type: long
+event.severity:
+  dashed_name: event-severity
+  description: 'The numeric severity of the event according to your event source.
+
+    What the different severity values mean can be different between sources and use
+    cases. It''s up to the implementer to make sure severities are consistent across
+    events from the same source.
+
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is
+    meant to represent the severity according to the event source (e.g. firewall,
+    IDS). If the event source does not publish its own severity, you may optionally
+    copy the `log.syslog.severity.code` to `event.severity`.'
+  example: 7
+  flat_name: event.severity
+  format: string
+  level: core
+  name: severity
+  normalize: []
+  short: Numeric severity of the event.
+  type: long
+event.start:
+  dashed_name: event-start
+  description: event.start contains the date when the event started or when the activity
+    was first observed.
+  flat_name: event.start
+  level: extended
+  name: start
+  normalize: []
+  short: event.start contains the date when the event started or when the activity
+    was first observed.
+  type: date
+event.timezone:
+  dashed_name: event-timezone
+  description: 'This field should be populated when the event''s timestamp does not
+    include timezone information already (e.g. default Syslog timestamps). It''s optional
+    otherwise.
+
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated
+    (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+  flat_name: event.timezone
+  ignore_above: 1024
+  level: extended
+  name: timezone
+  normalize: []
+  short: Event time zone.
+  type: keyword
+event.type:
+  allowed_values:
+  - description: The access event type is used for the subset of events within a category
+      that indicate that something was accessed. Common examples include `event.category:database
+      AND event.type:access`, or `event.category:file AND event.type:access`. Note
+      for file access, both directory listings and file opens should be included in
+      this subcategory. You can further distinguish access operations using the ECS
+      `event.action` field.
+    name: access
+  - description: 'The admin event type is used for the subset of events within a category
+      that are related to admin objects. For example, administrative changes within
+      an IAM framework that do not specifically affect a user or group (e.g., adding
+      new applications to a federation solution or connecting discrete forests in
+      Active Directory) would fall into this subcategory. Common example: `event.category:iam
+      AND event.type:change AND event.type:admin`. You can further distinguish admin
+      operations using the ECS `event.action` field.'
+    name: admin
+  - description: The allowed event type is used for the subset of events within a
+      category that indicate that something was allowed. Common examples include `event.category:network
+      AND event.type:connection AND event.type:allowed` (to indicate a network firewall
+      event for which the firewall disposition was to allow the connection to complete)
+      and `event.category:intrusion_detection AND event.type:allowed` (to indicate
+      a network intrusion prevention system event for which the IPS disposition was
+      to allow the connection to complete). You can further distinguish allowed operations
+      using the ECS `event.action` field, populating with values of your choosing,
+      such as "allow", "detect", or "pass".
+    name: allowed
+  - description: The change event type is used for the subset of events within a category
+      that indicate that something has changed. If semantics best describe an event
+      as modified, then include them in this subcategory. Common examples include
+      `event.category:process AND event.type:change`, and `event.category:file AND
+      event.type:change`. You can further distinguish change operations using the
+      ECS `event.action` field.
+    name: change
+  - description: Used primarily with `event.category:network` this value is used for
+      the subset of network traffic that includes sufficient information for the event
+      to be included in flow or connection analysis. Events in this subcategory will
+      contain at least source and destination IP addresses, source and destination
+      TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred.
+      Events in this subcategory may contain unidirectional or bidirectional information,
+      including summary information. Use this subcategory to visualize and analyze
+      network connections. Flow analysis, including Netflow, IPFIX, and other flow-related
+      events fit in this subcategory. Note that firewall events from many Next-Generation
+      Firewall (NGFW) devices will also fit into this subcategory.  A common filter
+      for flow/connection information would be `event.category:network AND event.type:connection
+      AND event.type:end` (to view or analyze all completed network connections, ignoring
+      mid-flow reports). You can further distinguish connection events using the ECS
+      `event.action` field, populating with values of your choosing, such as "timeout",
+      or "reset".
+    name: connection
+  - description: The "creation" event type is used for the subset of events within
+      a category that indicate that something was created. A common example is `event.category:file
+      AND event.type:creation`.
+    name: creation
+  - description: The deletion event type is used for the subset of events within a
+      category that indicate that something was deleted. A common example is `event.category:file
+      AND event.type:deletion` to indicate that a file has been deleted.
+    name: deletion
+  - description: The denied event type is used for the subset of events within a category
+      that indicate that something was denied. Common examples include `event.category:network
+      AND event.type:denied` (to indicate a network firewall event for which the firewall
+      disposition was to deny the connection) and `event.category:intrusion_detection
+      AND event.type:denied` (to indicate a network intrusion prevention system event
+      for which the IPS disposition was to deny the connection to complete). You can
+      further distinguish denied operations using the ECS `event.action` field, populating
+      with values of your choosing, such as "blocked", "dropped", or "quarantined".
+    name: denied
+  - description: The end event type is used for the subset of events within a category
+      that indicate something has ended. A common example is `event.category:process
+      AND event.type:end`.
+    name: end
+  - description: The error event type is used for the subset of events within a category
+      that indicate or describe an error. A common example is `event.category:database
+      AND event.type:error`. Note that pipeline errors that occur during the event
+      ingestion process should not use this `event.type` value. Instead, they should
+      use `event.kind:pipeline_error`.
+    name: error
+  - description: 'The group event type is used for the subset of events within a category
+      that are related to group objects. Common example: `event.category:iam AND event.type:creation
+      AND event.type:group`. You can further distinguish group operations using the
+      ECS `event.action` field.'
+    name: group
+  - description: The info event type is used for the subset of events within a category
+      that indicate that they are purely informational, and don't report a state change,
+      or any type of action. For example, an initial run of a file integrity monitoring
+      system (FIM), where an agent reports all files under management, would fall
+      into the "info" subcategory. Similarly, an event containing a dump of all currently
+      running processes (as opposed to reporting that a process started/ended) would
+      fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection
+      AND event.type:info`.
+    name: info
+  - description: The installation event type is used for the subset of events within
+      a category that indicate that something was installed. A common example is `event.category:package`
+      AND `event.type:installation`.
+    name: installation
+  - description: The protocol event type is used for the subset of events within a
+      category that indicate that they contain protocol details or analysis, beyond
+      simply identifying the protocol. Generally, network events that contain specific
+      protocol details will fall into this subcategory. A common example is `event.category:network
+      AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate
+      that the event is a network connection event sent at the end of a connection
+      that also includes a protocol detail breakdown). Note that events that only
+      indicate the name or id of the protocol should not use the protocol value. Further
+      note that when the protocol subcategory is used, the identified protocol is
+      populated in the ECS `network.protocol` field.
+    name: protocol
+  - description: The start event type is used for the subset of events within a category
+      that indicate something has started. A common example is `event.category:process
+      AND event.type:start`.
+    name: start
+  - description: 'The user event type is used for the subset of events within a category
+      that are related to user objects. Common example: `event.category:iam AND event.type:deletion
+      AND event.type:user`. You can further distinguish user operations using the
+      ECS `event.action` field.'
+    name: user
+  dashed_name: event-type
+  description: 'This is one of four ECS Categorization Fields, and indicates the third
+    level in the ECS category hierarchy.
+
+    `event.type` represents a categorization "sub-bucket" that, when used along with
+    the `event.category` field values, enables filtering events down to a level appropriate
+    for single visualization.
+
+    This field is an array. This will allow proper categorization of some events that
+    fall in multiple event types.'
+  flat_name: event.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  short: Event type. The third categorization field in the hierarchy.
+  type: keyword
+event.url:
+  dashed_name: event-url
+  description: 'URL linking to an external system to continue investigation of this
+    event.
+
+    This URL links to another system where in-depth investigation of the specific
+    occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
+    are a common use case for this field.'
+  example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+  flat_name: event.url
+  ignore_above: 1024
+  level: extended
+  name: url
+  normalize: []
+  short: Event investigation URL
+  type: keyword
+file.accessed:
+  dashed_name: file-accessed
+  description: 'Last time the file was accessed.
+
+    Note that not all filesystems keep track of access time.'
+  flat_name: file.accessed
+  level: extended
+  name: accessed
+  normalize: []
+  short: Last time the file was accessed.
+  type: date
+file.attributes:
+  dashed_name: file-attributes
+  description: 'Array of file attributes.
+
+    Attributes names will vary by platform. Here''s a non-exhaustive list of values
+    that are expected in this field: archive, compressed, directory, encrypted, execute,
+    hidden, read, readonly, system, write.'
+  example: '["readonly", "system"]'
+  flat_name: file.attributes
+  ignore_above: 1024
+  level: extended
+  name: attributes
+  normalize:
+  - array
+  short: Array of file attributes.
+  type: keyword
+file.code_signature.exists:
+  dashed_name: file-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: file.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+file.code_signature.status:
+  dashed_name: file-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: file.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+file.code_signature.subject_name:
+  dashed_name: file-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: file.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+file.code_signature.trusted:
+  dashed_name: file-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: file.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+file.code_signature.valid:
+  dashed_name: file-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: file.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+file.created:
+  dashed_name: file-created
+  description: 'File creation time.
+
+    Note that not all filesystems store the creation time.'
+  flat_name: file.created
+  level: extended
+  name: created
+  normalize: []
+  short: File creation time.
+  type: date
+file.ctime:
+  dashed_name: file-ctime
+  description: 'Last time the file attributes or metadata changed.
+
+    Note that changes to the file content will update `mtime`. This implies `ctime`
+    will be adjusted at the same time, since `mtime` is an attribute of the file.'
+  flat_name: file.ctime
+  level: extended
+  name: ctime
+  normalize: []
+  short: Last time the file attributes or metadata changed.
+  type: date
+file.device:
+  dashed_name: file-device
+  description: Device that is the source of the file.
+  example: sda
+  flat_name: file.device
+  ignore_above: 1024
+  level: extended
+  name: device
+  normalize: []
+  short: Device that is the source of the file.
+  type: keyword
+file.directory:
+  dashed_name: file-directory
+  description: Directory where the file is located. It should include the drive letter,
+    when appropriate.
+  example: /home/alice
+  flat_name: file.directory
+  level: extended
+  name: directory
+  normalize: []
+  short: Directory where the file is located.
+  type: wildcard
+file.drive_letter:
+  dashed_name: file-drive-letter
+  description: 'Drive letter where the file is located. This field is only relevant
+    on Windows.
+
+    The value should be uppercase, and not include the colon.'
+  example: C
+  flat_name: file.drive_letter
+  ignore_above: 1
+  level: extended
+  name: drive_letter
+  normalize: []
+  short: Drive letter where the file is located.
+  type: keyword
+file.extension:
+  dashed_name: file-extension
+  description: File extension.
+  example: png
+  flat_name: file.extension
+  ignore_above: 1024
+  level: extended
+  name: extension
+  normalize: []
+  short: File extension.
+  type: keyword
+file.gid:
+  dashed_name: file-gid
+  description: Primary group ID (GID) of the file.
+  example: '1001'
+  flat_name: file.gid
+  ignore_above: 1024
+  level: extended
+  name: gid
+  normalize: []
+  short: Primary group ID (GID) of the file.
+  type: keyword
+file.group:
+  dashed_name: file-group
+  description: Primary group name of the file.
+  example: alice
+  flat_name: file.group
+  ignore_above: 1024
+  level: extended
+  name: group
+  normalize: []
+  short: Primary group name of the file.
+  type: keyword
+file.hash.md5:
+  dashed_name: file-hash-md5
+  description: MD5 hash.
+  flat_name: file.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+file.hash.sha1:
+  dashed_name: file-hash-sha1
+  description: SHA1 hash.
+  flat_name: file.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+file.hash.sha256:
+  dashed_name: file-hash-sha256
+  description: SHA256 hash.
+  flat_name: file.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+file.hash.sha512:
+  dashed_name: file-hash-sha512
+  description: SHA512 hash.
+  flat_name: file.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+file.inode:
+  dashed_name: file-inode
+  description: Inode representing the file in the filesystem.
+  example: '256383'
+  flat_name: file.inode
+  ignore_above: 1024
+  level: extended
+  name: inode
+  normalize: []
+  short: Inode representing the file in the filesystem.
+  type: keyword
+file.mime_type:
+  dashed_name: file-mime-type
+  description: MIME type should identify the format of the file or stream of bytes
+    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
+    types], where possible. When more than one type is applicable, the most specific
+    type should be used.
+  flat_name: file.mime_type
+  ignore_above: 1024
+  level: extended
+  name: mime_type
+  normalize: []
+  short: Media type of file, document, or arrangement of bytes.
+  type: keyword
+file.mode:
+  dashed_name: file-mode
+  description: Mode of the file in octal representation.
+  example: '0640'
+  flat_name: file.mode
+  ignore_above: 1024
+  level: extended
+  name: mode
+  normalize: []
+  short: Mode of the file in octal representation.
+  type: keyword
+file.mtime:
+  dashed_name: file-mtime
+  description: Last time the file content was modified.
+  flat_name: file.mtime
+  level: extended
+  name: mtime
+  normalize: []
+  short: Last time the file content was modified.
+  type: date
+file.name:
+  dashed_name: file-name
+  description: Name of the file including the extension, without the directory.
+  example: example.png
+  flat_name: file.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Name of the file including the extension, without the directory.
+  type: keyword
+file.owner:
+  dashed_name: file-owner
+  description: File owner's username.
+  example: alice
+  flat_name: file.owner
+  ignore_above: 1024
+  level: extended
+  name: owner
+  normalize: []
+  short: File owner's username.
+  type: keyword
+file.path:
+  dashed_name: file-path
+  description: Full path to the file, including the file name. It should include the
+    drive letter, when appropriate.
+  example: /home/alice/example.png
+  flat_name: file.path
+  level: extended
+  multi_fields:
+  - flat_name: file.path.text
+    name: text
+    norms: false
+    type: text
+  name: path
+  normalize: []
+  short: Full path to the file, including the file name.
+  type: wildcard
+file.pe.architecture:
+  dashed_name: file-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: file.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+file.pe.company:
+  dashed_name: file-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: file.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+file.pe.description:
+  dashed_name: file-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: file.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+file.pe.file_version:
+  dashed_name: file-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: file.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+file.pe.imphash:
+  dashed_name: file-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: file.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+file.pe.original_file_name:
+  dashed_name: file-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: file.pe.original_file_name
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: wildcard
+file.pe.product:
+  dashed_name: file-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: file.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+file.size:
+  dashed_name: file-size
+  description: 'File size in bytes.
+
+    Only relevant when `file.type` is "file".'
+  example: 16384
+  flat_name: file.size
+  level: extended
+  name: size
+  normalize: []
+  short: File size in bytes.
+  type: long
+file.target_path:
+  dashed_name: file-target-path
+  description: Target path for symlinks.
+  flat_name: file.target_path
+  level: extended
+  multi_fields:
+  - flat_name: file.target_path.text
+    name: text
+    norms: false
+    type: text
+  name: target_path
+  normalize: []
+  short: Target path for symlinks.
+  type: wildcard
+file.type:
+  dashed_name: file-type
+  description: File type (file, dir, or symlink).
+  example: file
+  flat_name: file.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  short: File type (file, dir, or symlink).
+  type: keyword
+file.uid:
+  dashed_name: file-uid
+  description: The user ID (UID) or security identifier (SID) of the file owner.
+  example: '1001'
+  flat_name: file.uid
+  ignore_above: 1024
+  level: extended
+  name: uid
+  normalize: []
+  short: The user ID (UID) or security identifier (SID) of the file owner.
+  type: keyword
+file.x509.alternative_names:
+  dashed_name: file-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: file.x509.alternative_names
+  ignore_above: 1024
+  level: extended
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
+  type: keyword
+file.x509.issuer.common_name:
+  dashed_name: file-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: file.x509.issuer.common_name
+  ignore_above: 1024
+  level: extended
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
+  type: keyword
+file.x509.issuer.country:
+  dashed_name: file-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: file.x509.issuer.country
+  ignore_above: 1024
+  level: extended
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
+  type: keyword
+file.x509.issuer.distinguished_name:
+  dashed_name: file-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: file.x509.issuer.distinguished_name
+  level: extended
+  name: issuer.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
+  type: wildcard
+file.x509.issuer.locality:
+  dashed_name: file-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: file.x509.issuer.locality
+  ignore_above: 1024
+  level: extended
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+file.x509.issuer.organization:
+  dashed_name: file-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: file.x509.issuer.organization
+  ignore_above: 1024
+  level: extended
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
+  type: keyword
+file.x509.issuer.organizational_unit:
+  dashed_name: file-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: file.x509.issuer.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
+  type: keyword
+file.x509.issuer.state_or_province:
+  dashed_name: file-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: file.x509.issuer.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+file.x509.not_after:
+  dashed_name: file-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: file.x509.not_after
+  level: extended
+  name: not_after
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
+  type: date
+file.x509.not_before:
+  dashed_name: file-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: file.x509.not_before
+  level: extended
+  name: not_before
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
+  type: date
+file.x509.public_key_algorithm:
+  dashed_name: file-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: file.x509.public_key_algorithm
+  ignore_above: 1024
+  level: extended
+  name: public_key_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
+  type: keyword
+file.x509.public_key_curve:
+  dashed_name: file-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: file.x509.public_key_curve
+  ignore_above: 1024
+  level: extended
+  name: public_key_curve
+  normalize: []
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
+  type: keyword
+file.x509.public_key_exponent:
+  dashed_name: file-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: file.x509.public_key_exponent
+  index: false
+  level: extended
+  name: public_key_exponent
+  normalize: []
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+file.x509.public_key_size:
+  dashed_name: file-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: file.x509.public_key_size
+  level: extended
+  name: public_key_size
+  normalize: []
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+file.x509.serial_number:
+  dashed_name: file-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: file.x509.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
+  type: keyword
+file.x509.signature_algorithm:
+  dashed_name: file-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: file.x509.signature_algorithm
+  ignore_above: 1024
+  level: extended
+  name: signature_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
+  type: keyword
+file.x509.subject.common_name:
+  dashed_name: file-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: file.x509.subject.common_name
+  ignore_above: 1024
+  level: extended
+  name: subject.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
+  type: keyword
+file.x509.subject.country:
+  dashed_name: file-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: file.x509.subject.country
+  ignore_above: 1024
+  level: extended
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
+  type: keyword
+file.x509.subject.distinguished_name:
+  dashed_name: file-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: file.x509.subject.distinguished_name
+  level: extended
+  name: subject.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
+  type: wildcard
+file.x509.subject.locality:
+  dashed_name: file-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: file.x509.subject.locality
+  ignore_above: 1024
+  level: extended
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+file.x509.subject.organization:
+  dashed_name: file-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: file.x509.subject.organization
+  ignore_above: 1024
+  level: extended
+  name: subject.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
+  type: keyword
+file.x509.subject.organizational_unit:
+  dashed_name: file-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: file.x509.subject.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
+  type: keyword
+file.x509.subject.state_or_province:
+  dashed_name: file-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: file.x509.subject.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+file.x509.version_number:
+  dashed_name: file-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: file.x509.version_number
+  ignore_above: 1024
+  level: extended
+  name: version_number
+  normalize: []
+  original_fieldset: x509
+  short: Version of x509 format.
+  type: keyword
+group.domain:
+  dashed_name: group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Name of the directory the group is a member of.
+  type: keyword
+group.id:
+  dashed_name: group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+group.name:
+  dashed_name: group-name
+  description: Name of the group.
+  flat_name: group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Name of the group.
+  type: keyword
+host.architecture:
+  dashed_name: host-architecture
+  description: Operating system architecture.
+  example: x86_64
+  flat_name: host.architecture
+  ignore_above: 1024
+  level: core
+  name: architecture
+  normalize: []
+  short: Operating system architecture.
+  type: keyword
+host.domain:
+  dashed_name: host-domain
+  description: 'Name of the domain of which the host is a member.
+
+    For example, on Windows this could be the host''s Active Directory domain or NetBIOS
+    domain name. For Linux this could be the domain of the host''s LDAP provider.'
+  example: CONTOSO
+  flat_name: host.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Name of the directory the group is a member of.
+  type: keyword
+host.geo.city_name:
+  dashed_name: host-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: host.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+host.geo.continent_name:
+  dashed_name: host-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: host.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+host.geo.country_iso_code:
+  dashed_name: host-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: host.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+host.geo.country_name:
+  dashed_name: host-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: host.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+host.geo.location:
+  dashed_name: host-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: host.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+host.geo.name:
+  dashed_name: host-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: host.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+host.geo.region_iso_code:
+  dashed_name: host-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: host.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+host.geo.region_name:
+  dashed_name: host-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: host.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+host.hostname:
+  dashed_name: host-hostname
+  description: 'Hostname of the host.
+
+    It normally contains what the `hostname` command returns on the host machine.'
+  flat_name: host.hostname
+  level: core
+  name: hostname
+  normalize: []
+  short: Hostname of the host.
+  type: wildcard
+host.id:
+  dashed_name: host-id
+  description: 'Unique host id.
+
+    As hostname is not always unique, use values that are meaningful in your environment.
+
+    Example: The current usage of `beat.name`.'
+  flat_name: host.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique host id.
+  type: keyword
+host.ip:
+  dashed_name: host-ip
+  description: Host ip addresses.
+  flat_name: host.ip
+  level: core
+  name: ip
+  normalize:
+  - array
+  short: Host ip addresses.
+  type: ip
+host.mac:
+  dashed_name: host-mac
+  description: Host mac addresses.
+  flat_name: host.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize:
+  - array
+  short: Host mac addresses.
+  type: keyword
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+host.os.family:
+  dashed_name: host-os-family
+  description: OS family (such as redhat, debian, freebsd, windows).
+  example: debian
+  flat_name: host.os.family
+  ignore_above: 1024
+  level: extended
+  name: family
+  normalize: []
+  original_fieldset: os
+  short: OS family (such as redhat, debian, freebsd, windows).
+  type: keyword
+host.os.full:
+  dashed_name: host-os-full
+  description: Operating system name, including the version or code name.
+  example: Mac OS Mojave
+  flat_name: host.os.full
+  level: extended
+  multi_fields:
+  - flat_name: host.os.full.text
+    name: text
+    norms: false
+    type: text
+  name: full
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, including the version or code name.
+  type: wildcard
+host.os.kernel:
+  dashed_name: host-os-kernel
+  description: Operating system kernel version as a raw string.
+  example: 4.4.0-112-generic
+  flat_name: host.os.kernel
+  ignore_above: 1024
+  level: extended
+  name: kernel
+  normalize: []
+  original_fieldset: os
+  short: Operating system kernel version as a raw string.
+  type: keyword
+host.os.name:
+  dashed_name: host-os-name
+  description: Operating system name, without the version.
+  example: Mac OS X
+  flat_name: host.os.name
+  level: extended
+  multi_fields:
+  - flat_name: host.os.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, without the version.
+  type: wildcard
+host.os.platform:
+  dashed_name: host-os-platform
+  description: Operating system platform (such centos, ubuntu, windows).
+  example: darwin
+  flat_name: host.os.platform
+  ignore_above: 1024
+  level: extended
+  name: platform
+  normalize: []
+  original_fieldset: os
+  short: Operating system platform (such centos, ubuntu, windows).
+  type: keyword
+host.os.version:
+  dashed_name: host-os-version
+  description: Operating system version as a raw string.
+  example: 10.14.1
+  flat_name: host.os.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  original_fieldset: os
+  short: Operating system version as a raw string.
+  type: keyword
+host.type:
+  dashed_name: host-type
+  description: 'Type of host.
+
+    For Cloud providers this can be the machine type like `t2.medium`. If vm, this
+    could be the container, for example, or other information meaningful in your environment.'
+  flat_name: host.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: Type of host.
+  type: keyword
+host.uptime:
+  dashed_name: host-uptime
+  description: Seconds the host has been up.
+  example: 1325
+  flat_name: host.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  short: Seconds the host has been up.
+  type: long
+host.user.domain:
+  dashed_name: host-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: host.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+host.user.email:
+  dashed_name: host-user-email
+  description: User email address.
+  flat_name: host.user.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+host.user.full_name:
+  dashed_name: host-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: host.user.full_name
+  level: extended
+  multi_fields:
+  - flat_name: host.user.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+host.user.group.domain:
+  dashed_name: host-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: host.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+host.user.group.id:
+  dashed_name: host-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: host.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+host.user.group.name:
+  dashed_name: host-user-group-name
+  description: Name of the group.
+  flat_name: host.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+host.user.hash:
+  dashed_name: host-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: host.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+host.user.id:
+  dashed_name: host-user-id
+  description: Unique identifier of the user.
+  flat_name: host.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+host.user.name:
+  dashed_name: host-user-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: host.user.name
+  level: core
+  multi_fields:
+  - flat_name: host.user.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+host.user.roles:
+  dashed_name: host-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: host.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+http.request.body.bytes:
+  dashed_name: http-request-body-bytes
+  description: Size in bytes of the request body.
+  example: 887
+  flat_name: http.request.body.bytes
+  format: bytes
+  level: extended
+  name: request.body.bytes
+  normalize: []
+  short: Size in bytes of the request body.
+  type: long
+http.request.body.content:
+  dashed_name: http-request-body-content
+  description: The full HTTP request body.
+  example: Hello world
+  flat_name: http.request.body.content
+  level: extended
+  multi_fields:
+  - flat_name: http.request.body.content.text
+    name: text
+    norms: false
+    type: text
+  name: request.body.content
+  normalize: []
+  short: The full HTTP request body.
+  type: wildcard
+http.request.bytes:
+  dashed_name: http-request-bytes
+  description: Total size in bytes of the request (body and headers).
+  example: 1437
+  flat_name: http.request.bytes
+  format: bytes
+  level: extended
+  name: request.bytes
+  normalize: []
+  short: Total size in bytes of the request (body and headers).
+  type: long
+http.request.method:
+  dashed_name: http-request-method
+  description: 'HTTP request method.
+
+    Prior to ECS 1.6.0 the following guidance was provided:
+
+    "The field value must be normalized to lowercase for querying."
+
+    As of ECS 1.6.0, the guidance is deprecated because the original case of the method
+    may be useful in anomaly detection.  Original case will be mandated in ECS 2.0.0'
+  example: GET, POST, PUT, PoST
+  flat_name: http.request.method
+  ignore_above: 1024
+  level: extended
+  name: request.method
+  normalize: []
+  short: HTTP request method.
+  type: keyword
+http.request.mime_type:
+  dashed_name: http-request-mime-type
+  description: 'Mime type of the body of the request.
+
+    This value must only be populated based on the content of the request body, not
+    on the `Content-Type` header. Comparing the mime type of a request with the request''s
+    Content-Type header can be helpful in detecting threats or misconfigured clients.'
+  example: image/gif
+  flat_name: http.request.mime_type
+  ignore_above: 1024
+  level: extended
+  name: request.mime_type
+  normalize: []
+  short: Mime type of the body of the request.
+  type: keyword
+http.request.referrer:
+  dashed_name: http-request-referrer
+  description: Referrer for this HTTP request.
+  example: https://blog.example.com/
+  flat_name: http.request.referrer
+  level: extended
+  name: request.referrer
+  normalize: []
+  short: Referrer for this HTTP request.
+  type: wildcard
+http.response.body.bytes:
+  dashed_name: http-response-body-bytes
+  description: Size in bytes of the response body.
+  example: 887
+  flat_name: http.response.body.bytes
+  format: bytes
+  level: extended
+  name: response.body.bytes
+  normalize: []
+  short: Size in bytes of the response body.
+  type: long
+http.response.body.content:
+  dashed_name: http-response-body-content
+  description: The full HTTP response body.
+  example: Hello world
+  flat_name: http.response.body.content
+  level: extended
+  multi_fields:
+  - flat_name: http.response.body.content.text
+    name: text
+    norms: false
+    type: text
+  name: response.body.content
+  normalize: []
+  short: The full HTTP response body.
+  type: wildcard
+http.response.bytes:
+  dashed_name: http-response-bytes
+  description: Total size in bytes of the response (body and headers).
+  example: 1437
+  flat_name: http.response.bytes
+  format: bytes
+  level: extended
+  name: response.bytes
+  normalize: []
+  short: Total size in bytes of the response (body and headers).
+  type: long
+http.response.mime_type:
+  dashed_name: http-response-mime-type
+  description: 'Mime type of the body of the response.
+
+    This value must only be populated based on the content of the response body, not
+    on the `Content-Type` header. Comparing the mime type of a response with the response''s
+    Content-Type header can be helpful in detecting misconfigured servers.'
+  example: image/gif
+  flat_name: http.response.mime_type
+  ignore_above: 1024
+  level: extended
+  name: response.mime_type
+  normalize: []
+  short: Mime type of the body of the response.
+  type: keyword
+http.response.status_code:
+  dashed_name: http-response-status-code
+  description: HTTP response status code.
+  example: 404
+  flat_name: http.response.status_code
+  format: string
+  level: extended
+  name: response.status_code
+  normalize: []
+  short: HTTP response status code.
+  type: long
+http.version:
+  dashed_name: http-version
+  description: HTTP version.
+  example: 1.1
+  flat_name: http.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: HTTP version.
+  type: keyword
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+log.file.path:
+  dashed_name: log-file-path
+  description: 'Full path to the log file this event came from, including the file
+    name. It should include the drive letter, when appropriate.
+
+    If the event wasn''t read from a log file, do not populate this field.'
+  example: /var/log/fun-times.log
+  flat_name: log.file.path
+  level: extended
+  name: file.path
+  normalize: []
+  short: Full path to the log file this event came from.
+  type: wildcard
+log.level:
+  dashed_name: log-level
+  description: 'Original log level of the log event.
+
+    If the source of the event provides a log level or textual severity, this is the
+    one that goes in `log.level`. If your source doesn''t specify one, you may put
+    your event transport''s severity here (e.g. Syslog severity).
+
+    Some examples are `warn`, `err`, `i`, `informational`.'
+  example: error
+  flat_name: log.level
+  ignore_above: 1024
+  level: core
+  name: level
+  normalize: []
+  short: Log level of the log event.
+  type: keyword
+log.logger:
+  dashed_name: log-logger
+  description: The name of the logger inside an application. This is usually the name
+    of the class which initialized the logger, or can be a custom name.
+  example: org.elasticsearch.bootstrap.Bootstrap
+  flat_name: log.logger
+  level: core
+  name: logger
+  normalize: []
+  short: Name of the logger.
+  type: wildcard
+log.origin.file.line:
+  dashed_name: log-origin-file-line
+  description: The line number of the file containing the source code which originated
+    the log event.
+  example: 42
+  flat_name: log.origin.file.line
+  level: extended
+  name: origin.file.line
+  normalize: []
+  short: The line number of the file which originated the log event.
+  type: integer
+log.origin.file.name:
+  dashed_name: log-origin-file-name
+  description: 'The name of the file containing the source code which originated the
+    log event.
+
+    Note that this field is not meant to capture the log file. The correct field to
+    capture the log file is `log.file.path`.'
+  example: Bootstrap.java
+  flat_name: log.origin.file.name
+  ignore_above: 1024
+  level: extended
+  name: origin.file.name
+  normalize: []
+  short: The code file which originated the log event.
+  type: keyword
+log.origin.function:
+  dashed_name: log-origin-function
+  description: The name of the function or method which originated the log event.
+  example: init
+  flat_name: log.origin.function
+  ignore_above: 1024
+  level: extended
+  name: origin.function
+  normalize: []
+  short: The function which originated the log event.
+  type: keyword
+log.original:
+  dashed_name: log-original
+  description: 'This is the original log message and contains the full log message
+    before splitting it up in multiple parts.
+
+    In contrast to the `message` field which can contain an extracted part of the
+    log message, this field contains the original, full log message. It can have already
+    some modifications applied like encoding or new lines removed to clean up the
+    log message.
+
+    This field is not indexed and doc_values are disabled so it can''t be queried
+    but the value can be retrieved from `_source`.'
+  doc_values: false
+  example: Sep 19 08:26:10 localhost My log
+  flat_name: log.original
+  ignore_above: 1024
+  index: false
+  level: core
+  name: original
+  normalize: []
+  short: Original log message with light interpretation only (encoding, newlines).
+  type: keyword
+log.syslog:
+  dashed_name: log-syslog
+  description: The Syslog metadata of the event, if the event was transmitted via
+    Syslog. Please see RFCs 5424 or 3164.
+  flat_name: log.syslog
+  level: extended
+  name: syslog
+  normalize: []
+  short: Syslog metadata
+  type: object
+log.syslog.facility.code:
+  dashed_name: log-syslog-facility-code
+  description: 'The Syslog numeric facility of the log event, if available.
+
+    According to RFCs 5424 and 3164, this value should be an integer between 0 and
+    23.'
+  example: 23
+  flat_name: log.syslog.facility.code
+  format: string
+  level: extended
+  name: syslog.facility.code
+  normalize: []
+  short: Syslog numeric facility of the event.
+  type: long
+log.syslog.facility.name:
+  dashed_name: log-syslog-facility-name
+  description: The Syslog text-based facility of the log event, if available.
+  example: local7
+  flat_name: log.syslog.facility.name
+  ignore_above: 1024
+  level: extended
+  name: syslog.facility.name
+  normalize: []
+  short: Syslog text-based facility of the event.
+  type: keyword
+log.syslog.priority:
+  dashed_name: log-syslog-priority
+  description: 'Syslog numeric priority of the event, if available.
+
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This
+    number is therefore expected to contain a value between 0 and 191.'
+  example: 135
+  flat_name: log.syslog.priority
+  format: string
+  level: extended
+  name: syslog.priority
+  normalize: []
+  short: Syslog priority of the event.
+  type: long
+log.syslog.severity.code:
+  dashed_name: log-syslog-severity-code
+  description: 'The Syslog numeric severity of the log event, if available.
+
+    If the event source publishing via Syslog provides a different numeric severity
+    value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
+    If the event source does not specify a distinct severity, you can optionally copy
+    the Syslog severity to `event.severity`.'
+  example: 3
+  flat_name: log.syslog.severity.code
+  level: extended
+  name: syslog.severity.code
+  normalize: []
+  short: Syslog numeric severity of the event.
+  type: long
+log.syslog.severity.name:
+  dashed_name: log-syslog-severity-name
+  description: 'The Syslog numeric severity of the log event, if available.
+
+    If the event source publishing via Syslog provides a different severity value
+    (e.g. firewall, IDS), your source''s text severity should go to `log.level`. If
+    the event source does not specify a distinct severity, you can optionally copy
+    the Syslog severity to `log.level`.'
+  example: Error
+  flat_name: log.syslog.severity.name
+  ignore_above: 1024
+  level: extended
+  name: syslog.severity.name
+  normalize: []
+  short: Syslog text-based severity of the event.
+  type: keyword
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  norms: false
+  short: Log message optimized for viewing in a log viewer.
+  type: text
+network.application:
+  dashed_name: network-application
+  description: 'A name given to an application level protocol. This can be arbitrarily
+    assigned for things like microservices, but also apply to things like skype, icq,
+    facebook, twitter. This would be used in situations where the vendor or service
+    can be decoded such as from the source/dest IP owners, ports, or wire format.
+
+    The field value must be normalized to lowercase for querying. See the documentation
+    section "Implementing ECS".'
+  example: aim
+  flat_name: network.application
+  ignore_above: 1024
+  level: extended
+  name: application
+  normalize: []
+  short: Application level protocol name.
+  type: keyword
+network.bytes:
+  dashed_name: network-bytes
+  description: 'Total bytes transferred in both directions.
+
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+    sum.'
+  example: 368
+  flat_name: network.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  short: Total bytes transferred in both directions.
+  type: long
+network.community_id:
+  dashed_name: network-community-id
+  description: 'A hash of source and destination IPs and ports, as well as the protocol
+    used in a communication. This is a tool-agnostic standard to identify flows.
+
+    Learn more at https://github.com/corelight/community-id-spec.'
+  example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+  flat_name: network.community_id
+  ignore_above: 1024
+  level: extended
+  name: community_id
+  normalize: []
+  short: A hash of source and destination IPs and ports.
+  type: keyword
+network.direction:
+  dashed_name: network-direction
+  description: "Direction of the network traffic.\nRecommended values are:\n  * ingress\n\
+    \  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\
+    \nWhen mapping events from a host-based monitoring context, populate this field\
+    \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\
+    When mapping events from a network or perimeter-based monitoring context, populate\
+    \ this field from the point of view of the network perimeter, using the values\
+    \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\
+    \ is not crossing perimeter boundaries, and is meant to describe communication\
+    \ between two hosts within the perimeter. Note also that \"external\" is meant\
+    \ to describe traffic between two hosts that are external to the perimeter. This\
+    \ could for example be useful for ISPs or VPN service providers."
+  example: inbound
+  flat_name: network.direction
+  ignore_above: 1024
+  level: core
+  name: direction
+  normalize: []
+  short: Direction of the network traffic.
+  type: keyword
+network.forwarded_ip:
+  dashed_name: network-forwarded-ip
+  description: Host IP address when the source IP address is the proxy.
+  example: 192.1.1.2
+  flat_name: network.forwarded_ip
+  level: core
+  name: forwarded_ip
+  normalize: []
+  short: Host IP address when the source IP address is the proxy.
+  type: ip
+network.iana_number:
+  dashed_name: network-iana-number
+  description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
+    Standardized list of protocols. This aligns well with NetFlow and sFlow related
+    logs which use the IANA Protocol Number.
+  example: 6
+  flat_name: network.iana_number
+  ignore_above: 1024
+  level: extended
+  name: iana_number
+  normalize: []
+  short: IANA Protocol Number.
+  type: keyword
+network.inner:
+  dashed_name: network-inner
+  description: Network.inner fields are added in addition to network.vlan fields to
+    describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields
+    include vlan.id and vlan.name. Inner vlan fields are typically used when sending
+    traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+  flat_name: network.inner
+  level: extended
+  name: inner
+  normalize: []
+  short: Inner VLAN tag information
+  type: object
+network.inner.vlan.id:
+  dashed_name: network-inner-vlan-id
+  description: VLAN ID as reported by the observer.
+  example: 10
+  flat_name: network.inner.vlan.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: vlan
+  short: VLAN ID as reported by the observer.
+  type: keyword
+network.inner.vlan.name:
+  dashed_name: network-inner-vlan-name
+  description: Optional VLAN name as reported by the observer.
+  example: outside
+  flat_name: network.inner.vlan.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: vlan
+  short: Optional VLAN name as reported by the observer.
+  type: keyword
+network.name:
+  dashed_name: network-name
+  description: Name given by operators to sections of their network.
+  example: Guest Wifi
+  flat_name: network.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Name given by operators to sections of their network.
+  type: keyword
+network.packets:
+  dashed_name: network-packets
+  description: 'Total packets transferred in both directions.
+
+    If `source.packets` and `destination.packets` are known, `network.packets` is
+    their sum.'
+  example: 24
+  flat_name: network.packets
+  level: core
+  name: packets
+  normalize: []
+  short: Total packets transferred in both directions.
+  type: long
+network.protocol:
+  dashed_name: network-protocol
+  description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+    The field value must be normalized to lowercase for querying. See the documentation
+    section "Implementing ECS".'
+  example: http
+  flat_name: network.protocol
+  ignore_above: 1024
+  level: core
+  name: protocol
+  normalize: []
+  short: L7 Network protocol name.
+  type: keyword
+network.transport:
+  dashed_name: network-transport
+  description: 'Same as network.iana_number, but instead using the Keyword name of
+    the transport layer (udp, tcp, ipv6-icmp, etc.)
+
+    The field value must be normalized to lowercase for querying. See the documentation
+    section "Implementing ECS".'
+  example: tcp
+  flat_name: network.transport
+  ignore_above: 1024
+  level: core
+  name: transport
+  normalize: []
+  short: Protocol Name corresponding to the field `iana_number`.
+  type: keyword
+network.type:
+  dashed_name: network-type
+  description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec,
+    pim, etc
+
+    The field value must be normalized to lowercase for querying. See the documentation
+    section "Implementing ECS".'
+  example: ipv4
+  flat_name: network.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim,
+    etc
+  type: keyword
+network.vlan.id:
+  dashed_name: network-vlan-id
+  description: VLAN ID as reported by the observer.
+  example: 10
+  flat_name: network.vlan.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: vlan
+  short: VLAN ID as reported by the observer.
+  type: keyword
+network.vlan.name:
+  dashed_name: network-vlan-name
+  description: Optional VLAN name as reported by the observer.
+  example: outside
+  flat_name: network.vlan.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: vlan
+  short: Optional VLAN name as reported by the observer.
+  type: keyword
+observer.egress:
+  dashed_name: observer-egress
+  description: Observer.egress holds information like interface number and name, vlan,
+    and zone information to  classify egress traffic.  Single armed monitoring such
+    as a network sensor on a span port should  only use observer.ingress to categorize
+    traffic.
+  flat_name: observer.egress
+  level: extended
+  name: egress
+  normalize: []
+  short: Object field for egress information
+  type: object
+observer.egress.interface.alias:
+  dashed_name: observer-egress-interface-alias
+  description: Interface alias as reported by the system, typically used in firewall
+    implementations for e.g. inside, outside, or dmz logical interface naming.
+  example: outside
+  flat_name: observer.egress.interface.alias
+  ignore_above: 1024
+  level: extended
+  name: alias
+  normalize: []
+  original_fieldset: interface
+  short: Interface alias
+  type: keyword
+observer.egress.interface.id:
+  dashed_name: observer-egress-interface-id
+  description: Interface ID as reported by an observer (typically SNMP interface ID).
+  example: 10
+  flat_name: observer.egress.interface.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: interface
+  short: Interface ID
+  type: keyword
+observer.egress.interface.name:
+  dashed_name: observer-egress-interface-name
+  description: Interface name as reported by the system.
+  example: eth0
+  flat_name: observer.egress.interface.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: interface
+  short: Interface name
+  type: keyword
+observer.egress.vlan.id:
+  dashed_name: observer-egress-vlan-id
+  description: VLAN ID as reported by the observer.
+  example: 10
+  flat_name: observer.egress.vlan.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: vlan
+  short: VLAN ID as reported by the observer.
+  type: keyword
+observer.egress.vlan.name:
+  dashed_name: observer-egress-vlan-name
+  description: Optional VLAN name as reported by the observer.
+  example: outside
+  flat_name: observer.egress.vlan.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: vlan
+  short: Optional VLAN name as reported by the observer.
+  type: keyword
+observer.egress.zone:
+  dashed_name: observer-egress-zone
+  description: Network zone of outbound traffic as reported by the observer to categorize
+    the destination area of egress  traffic, e.g. Internal, External, DMZ, HR, Legal,
+    etc.
+  example: Public_Internet
+  flat_name: observer.egress.zone
+  ignore_above: 1024
+  level: extended
+  name: egress.zone
+  normalize: []
+  short: Observer Egress zone
+  type: keyword
+observer.geo.city_name:
+  dashed_name: observer-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: observer.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+observer.geo.continent_name:
+  dashed_name: observer-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: observer.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+observer.geo.country_iso_code:
+  dashed_name: observer-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: observer.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+observer.geo.country_name:
+  dashed_name: observer-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: observer.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+observer.geo.location:
+  dashed_name: observer-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: observer.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+observer.geo.name:
+  dashed_name: observer-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: observer.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+observer.geo.region_iso_code:
+  dashed_name: observer-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: observer.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+observer.geo.region_name:
+  dashed_name: observer-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: observer.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+observer.hostname:
+  dashed_name: observer-hostname
+  description: Hostname of the observer.
+  flat_name: observer.hostname
+  ignore_above: 1024
+  level: core
+  name: hostname
+  normalize: []
+  short: Hostname of the observer.
+  type: keyword
+observer.ingress:
+  dashed_name: observer-ingress
+  description: Observer.ingress holds information like interface number and name,
+    vlan, and zone information to  classify ingress traffic.  Single armed monitoring
+    such as a network sensor on a span port should  only use observer.ingress to categorize
+    traffic.
+  flat_name: observer.ingress
+  level: extended
+  name: ingress
+  normalize: []
+  short: Object field for ingress information
+  type: object
+observer.ingress.interface.alias:
+  dashed_name: observer-ingress-interface-alias
+  description: Interface alias as reported by the system, typically used in firewall
+    implementations for e.g. inside, outside, or dmz logical interface naming.
+  example: outside
+  flat_name: observer.ingress.interface.alias
+  ignore_above: 1024
+  level: extended
+  name: alias
+  normalize: []
+  original_fieldset: interface
+  short: Interface alias
+  type: keyword
+observer.ingress.interface.id:
+  dashed_name: observer-ingress-interface-id
+  description: Interface ID as reported by an observer (typically SNMP interface ID).
+  example: 10
+  flat_name: observer.ingress.interface.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: interface
+  short: Interface ID
+  type: keyword
+observer.ingress.interface.name:
+  dashed_name: observer-ingress-interface-name
+  description: Interface name as reported by the system.
+  example: eth0
+  flat_name: observer.ingress.interface.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: interface
+  short: Interface name
+  type: keyword
+observer.ingress.vlan.id:
+  dashed_name: observer-ingress-vlan-id
+  description: VLAN ID as reported by the observer.
+  example: 10
+  flat_name: observer.ingress.vlan.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: vlan
+  short: VLAN ID as reported by the observer.
+  type: keyword
+observer.ingress.vlan.name:
+  dashed_name: observer-ingress-vlan-name
+  description: Optional VLAN name as reported by the observer.
+  example: outside
+  flat_name: observer.ingress.vlan.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: vlan
+  short: Optional VLAN name as reported by the observer.
+  type: keyword
+observer.ingress.zone:
+  dashed_name: observer-ingress-zone
+  description: Network zone of incoming traffic as reported by the observer to categorize
+    the source area of ingress  traffic. e.g. internal, External, DMZ, HR, Legal,
+    etc.
+  example: DMZ
+  flat_name: observer.ingress.zone
+  ignore_above: 1024
+  level: extended
+  name: ingress.zone
+  normalize: []
+  short: Observer ingress zone
+  type: keyword
+observer.ip:
+  dashed_name: observer-ip
+  description: IP addresses of the observer.
+  flat_name: observer.ip
+  level: core
+  name: ip
+  normalize:
+  - array
+  short: IP addresses of the observer.
+  type: ip
+observer.mac:
+  dashed_name: observer-mac
+  description: MAC addresses of the observer
+  flat_name: observer.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize:
+  - array
+  short: MAC addresses of the observer
+  type: keyword
+observer.name:
+  dashed_name: observer-name
+  description: 'Custom name of the observer.
+
+    This is a name that can be given to an observer. This can be helpful for example
+    if multiple firewalls of the same model are used in an organization.
+
+    If no custom name is needed, the field can be left empty.'
+  example: 1_proxySG
+  flat_name: observer.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Custom name of the observer.
+  type: keyword
+observer.os.family:
+  dashed_name: observer-os-family
+  description: OS family (such as redhat, debian, freebsd, windows).
+  example: debian
+  flat_name: observer.os.family
+  ignore_above: 1024
+  level: extended
+  name: family
+  normalize: []
+  original_fieldset: os
+  short: OS family (such as redhat, debian, freebsd, windows).
+  type: keyword
+observer.os.full:
+  dashed_name: observer-os-full
+  description: Operating system name, including the version or code name.
+  example: Mac OS Mojave
+  flat_name: observer.os.full
+  level: extended
+  multi_fields:
+  - flat_name: observer.os.full.text
+    name: text
+    norms: false
+    type: text
+  name: full
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, including the version or code name.
+  type: wildcard
+observer.os.kernel:
+  dashed_name: observer-os-kernel
+  description: Operating system kernel version as a raw string.
+  example: 4.4.0-112-generic
+  flat_name: observer.os.kernel
+  ignore_above: 1024
+  level: extended
+  name: kernel
+  normalize: []
+  original_fieldset: os
+  short: Operating system kernel version as a raw string.
+  type: keyword
+observer.os.name:
+  dashed_name: observer-os-name
+  description: Operating system name, without the version.
+  example: Mac OS X
+  flat_name: observer.os.name
+  level: extended
+  multi_fields:
+  - flat_name: observer.os.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, without the version.
+  type: wildcard
+observer.os.platform:
+  dashed_name: observer-os-platform
+  description: Operating system platform (such centos, ubuntu, windows).
+  example: darwin
+  flat_name: observer.os.platform
+  ignore_above: 1024
+  level: extended
+  name: platform
+  normalize: []
+  original_fieldset: os
+  short: Operating system platform (such centos, ubuntu, windows).
+  type: keyword
+observer.os.version:
+  dashed_name: observer-os-version
+  description: Operating system version as a raw string.
+  example: 10.14.1
+  flat_name: observer.os.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  original_fieldset: os
+  short: Operating system version as a raw string.
+  type: keyword
+observer.product:
+  dashed_name: observer-product
+  description: The product name of the observer.
+  example: s200
+  flat_name: observer.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  short: The product name of the observer.
+  type: keyword
+observer.serial_number:
+  dashed_name: observer-serial-number
+  description: Observer serial number.
+  flat_name: observer.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  short: Observer serial number.
+  type: keyword
+observer.type:
+  dashed_name: observer-type
+  description: 'The type of the observer the data is coming from.
+
+    There is no predefined list of observer types. Some examples are `forwarder`,
+    `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
+  example: firewall
+  flat_name: observer.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: The type of the observer the data is coming from.
+  type: keyword
+observer.vendor:
+  dashed_name: observer-vendor
+  description: Vendor name of the observer.
+  example: Symantec
+  flat_name: observer.vendor
+  ignore_above: 1024
+  level: core
+  name: vendor
+  normalize: []
+  short: Vendor name of the observer.
+  type: keyword
+observer.version:
+  dashed_name: observer-version
+  description: Observer version.
+  flat_name: observer.version
+  ignore_above: 1024
+  level: core
+  name: version
+  normalize: []
+  short: Observer version.
+  type: keyword
+organization.id:
+  dashed_name: organization-id
+  description: Unique identifier for the organization.
+  flat_name: organization.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: Unique identifier for the organization.
+  type: keyword
+organization.name:
+  dashed_name: organization-name
+  description: Organization name.
+  flat_name: organization.name
+  level: extended
+  multi_fields:
+  - flat_name: organization.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  short: Organization name.
+  type: wildcard
+package.architecture:
+  dashed_name: package-architecture
+  description: Package architecture.
+  example: x86_64
+  flat_name: package.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  short: Package architecture.
+  type: keyword
+package.build_version:
+  dashed_name: package-build-version
+  description: 'Additional information about the build version of the installed package.
+
+    For example use the commit SHA of a non-released package.'
+  example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+  flat_name: package.build_version
+  ignore_above: 1024
+  level: extended
+  name: build_version
+  normalize: []
+  short: Build version information
+  type: keyword
+package.checksum:
+  dashed_name: package-checksum
+  description: Checksum of the installed package for verification.
+  example: 68b329da9893e34099c7d8ad5cb9c940
+  flat_name: package.checksum
+  ignore_above: 1024
+  level: extended
+  name: checksum
+  normalize: []
+  short: Checksum of the installed package for verification.
+  type: keyword
+package.description:
+  dashed_name: package-description
+  description: Description of the package.
+  example: Open source programming language to build simple/reliable/efficient software.
+  flat_name: package.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  short: Description of the package.
+  type: keyword
+package.install_scope:
+  dashed_name: package-install-scope
+  description: Indicating how the package was installed, e.g. user-local, global.
+  example: global
+  flat_name: package.install_scope
+  ignore_above: 1024
+  level: extended
+  name: install_scope
+  normalize: []
+  short: Indicating how the package was installed, e.g. user-local, global.
+  type: keyword
+package.installed:
+  dashed_name: package-installed
+  description: Time when package was installed.
+  flat_name: package.installed
+  level: extended
+  name: installed
+  normalize: []
+  short: Time when package was installed.
+  type: date
+package.license:
+  dashed_name: package-license
+  description: 'License under which the package was released.
+
+    Use a short name, e.g. the license identifier from SPDX License List where possible
+    (https://spdx.org/licenses/).'
+  example: Apache License 2.0
+  flat_name: package.license
+  ignore_above: 1024
+  level: extended
+  name: license
+  normalize: []
+  short: Package license
+  type: keyword
+package.name:
+  dashed_name: package-name
+  description: Package name
+  example: go
+  flat_name: package.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Package name
+  type: keyword
+package.path:
+  dashed_name: package-path
+  description: Path where the package is installed.
+  example: /usr/local/Cellar/go/1.12.9/
+  flat_name: package.path
+  ignore_above: 1024
+  level: extended
+  name: path
+  normalize: []
+  short: Path where the package is installed.
+  type: keyword
+package.reference:
+  dashed_name: package-reference
+  description: Home page or reference URL of the software in this package, if available.
+  example: https://golang.org
+  flat_name: package.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: Package home page or reference URL
+  type: keyword
+package.size:
+  dashed_name: package-size
+  description: Package size in bytes.
+  example: 62231
+  flat_name: package.size
+  format: string
+  level: extended
+  name: size
+  normalize: []
+  short: Package size in bytes.
+  type: long
+package.type:
+  dashed_name: package-type
+  description: 'Type of package.
+
+    This should contain the package file type, rather than the package manager name.
+    Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
+  example: rpm
+  flat_name: package.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  short: Package type
+  type: keyword
+package.version:
+  dashed_name: package-version
+  description: Package version
+  example: 1.12.9
+  flat_name: package.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: Package version
+  type: keyword
+process.args:
+  dashed_name: process-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  short: Array of process arguments.
+  type: keyword
+process.args_count:
+  dashed_name: process-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  short: Length of the process.args array.
+  type: long
+process.code_signature.exists:
+  dashed_name: process-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.code_signature.status:
+  dashed_name: process-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.code_signature.subject_name:
+  dashed_name: process-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.code_signature.trusted:
+  dashed_name: process-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.code_signature.valid:
+  dashed_name: process-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.command_line:
+  dashed_name: process-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.command_line.text
+    name: text
+    norms: false
+    type: text
+  name: command_line
+  normalize: []
+  short: Full command line that started the process.
+  type: wildcard
+process.entity_id:
+  dashed_name: process-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  short: Unique identifier for the process.
+  type: keyword
+process.executable:
+  dashed_name: process-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.executable
+  level: extended
+  multi_fields:
+  - flat_name: process.executable.text
+    name: text
+    norms: false
+    type: text
+  name: executable
+  normalize: []
+  short: Absolute path to the process executable.
+  type: wildcard
+process.exit_code:
+  dashed_name: process-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  short: The exit code of the process.
+  type: long
+process.hash.md5:
+  dashed_name: process-hash-md5
+  description: MD5 hash.
+  flat_name: process.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.hash.sha1:
+  dashed_name: process-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.hash.sha256:
+  dashed_name: process-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.hash.sha512:
+  dashed_name: process-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.name:
+  dashed_name: process-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.name
+  level: extended
+  multi_fields:
+  - flat_name: process.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  short: Process name.
+  type: wildcard
+process.parent.args:
+  dashed_name: process-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.parent.args_count:
+  dashed_name: process-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.parent.code_signature.exists:
+  dashed_name: process-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.code_signature.status:
+  dashed_name: process-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.code_signature.subject_name:
+  dashed_name: process-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.code_signature.trusted:
+  dashed_name: process-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.code_signature.valid:
+  dashed_name: process-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.parent.command_line:
+  dashed_name: process-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.command_line.text
+    name: text
+    norms: false
+    type: text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.parent.entity_id:
+  dashed_name: process-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.executable:
+  dashed_name: process-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.parent.executable
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.executable.text
+    name: text
+    norms: false
+    type: text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: wildcard
+process.parent.exit_code:
+  dashed_name: process-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.parent.hash.md5:
+  dashed_name: process-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.parent.hash.sha1:
+  dashed_name: process-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.parent.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.parent.hash.sha256:
+  dashed_name: process-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.parent.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.parent.hash.sha512:
+  dashed_name: process-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.parent.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.parent.name:
+  dashed_name: process-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.parent.name
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: wildcard
+process.parent.pe.architecture:
+  dashed_name: process-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.parent.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.parent.pe.company:
+  dashed_name: process-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.parent.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.description:
+  dashed_name: process-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.parent.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.file_version:
+  dashed_name: process-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.parent.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.parent.pe.imphash:
+  dashed_name: process-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.parent.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.pe.original_file_name:
+  dashed_name: process-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.parent.pe.original_file_name
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: wildcard
+process.parent.pe.product:
+  dashed_name: process-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: process.parent.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.parent.pgid:
+  dashed_name: process-parent-pgid
+  description: Identifier of the group of processes the process belongs to.
+  flat_name: process.parent.pgid
+  format: string
+  level: extended
+  name: pgid
+  normalize: []
+  original_fieldset: process
+  short: Identifier of the group of processes the process belongs to.
+  type: long
+process.parent.pid:
+  dashed_name: process-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.ppid:
+  dashed_name: process-parent-ppid
+  description: Parent process' pid.
+  example: 4241
+  flat_name: process.parent.ppid
+  format: string
+  level: extended
+  name: ppid
+  normalize: []
+  original_fieldset: process
+  short: Parent process' pid.
+  type: long
+process.parent.start:
+  dashed_name: process-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.thread.id:
+  dashed_name: process-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.parent.thread.name:
+  dashed_name: process-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.parent.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.parent.title:
+  dashed_name: process-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.parent.title
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.title.text
+    name: text
+    norms: false
+    type: text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: wildcard
+process.parent.uptime:
+  dashed_name: process-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.parent.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.parent.working_directory:
+  dashed_name: process-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.parent.working_directory
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.working_directory.text
+    name: text
+    norms: false
+    type: text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: wildcard
+process.pe.architecture:
+  dashed_name: process-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.pe.company:
+  dashed_name: process-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.pe.description:
+  dashed_name: process-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.pe.file_version:
+  dashed_name: process-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.pe.imphash:
+  dashed_name: process-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.pe.original_file_name:
+  dashed_name: process-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.pe.original_file_name
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: wildcard
+process.pe.product:
+  dashed_name: process-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: process.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.pgid:
+  dashed_name: process-pgid
+  description: Identifier of the group of processes the process belongs to.
+  flat_name: process.pgid
+  format: string
+  level: extended
+  name: pgid
+  normalize: []
+  short: Identifier of the group of processes the process belongs to.
+  type: long
+process.pid:
+  dashed_name: process-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  short: Process id.
+  type: long
+process.ppid:
+  dashed_name: process-ppid
+  description: Parent process' pid.
+  example: 4241
+  flat_name: process.ppid
+  format: string
+  level: extended
+  name: ppid
+  normalize: []
+  short: Parent process' pid.
+  type: long
+process.start:
+  dashed_name: process-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.start
+  level: extended
+  name: start
+  normalize: []
+  short: The time the process started.
+  type: date
+process.thread.id:
+  dashed_name: process-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  short: Thread ID.
+  type: long
+process.thread.name:
+  dashed_name: process-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  short: Thread name.
+  type: keyword
+process.title:
+  dashed_name: process-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.title
+  level: extended
+  multi_fields:
+  - flat_name: process.title.text
+    name: text
+    norms: false
+    type: text
+  name: title
+  normalize: []
+  short: Process title.
+  type: wildcard
+process.uptime:
+  dashed_name: process-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  short: Seconds the process has been up.
+  type: long
+process.working_directory:
+  dashed_name: process-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.working_directory
+  level: extended
+  multi_fields:
+  - flat_name: process.working_directory.text
+    name: text
+    norms: false
+    type: text
+  name: working_directory
+  normalize: []
+  short: The working directory of the process.
+  type: wildcard
+registry.data.bytes:
+  dashed_name: registry-data-bytes
+  description: 'Original bytes written with base64 encoding.
+
+    For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+    corresponds to the data pointed by `lp_data`. This is optional but provides better
+    recoverability and should be populated for REG_BINARY encoded values.'
+  example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+  flat_name: registry.data.bytes
+  ignore_above: 1024
+  level: extended
+  name: data.bytes
+  normalize: []
+  short: Original bytes written with base64 encoding.
+  type: keyword
+registry.data.strings:
+  dashed_name: registry-data-strings
+  description: 'Content when writing string types.
+
+    Populated as an array when writing string data to the registry. For single string
+    registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string.
+    For sequences of string with REG_MULTI_SZ, this array will be variable length.
+    For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with
+    the decimal representation (e.g `"1"`).'
+  example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+  flat_name: registry.data.strings
+  level: core
+  name: data.strings
+  normalize:
+  - array
+  short: List of strings representing what was written to the registry.
+  type: wildcard
+registry.data.type:
+  dashed_name: registry-data-type
+  description: Standard registry type for encoding contents
+  example: REG_SZ
+  flat_name: registry.data.type
+  ignore_above: 1024
+  level: core
+  name: data.type
+  normalize: []
+  short: Standard registry type for encoding contents
+  type: keyword
+registry.hive:
+  dashed_name: registry-hive
+  description: Abbreviated name for the hive.
+  example: HKLM
+  flat_name: registry.hive
+  ignore_above: 1024
+  level: core
+  name: hive
+  normalize: []
+  short: Abbreviated name for the hive.
+  type: keyword
+registry.key:
+  dashed_name: registry-key
+  description: Hive-relative path of keys.
+  example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+  flat_name: registry.key
+  level: core
+  name: key
+  normalize: []
+  short: Hive-relative path of keys.
+  type: wildcard
+registry.path:
+  dashed_name: registry-path
+  description: Full path, including hive, key and value
+  example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+    Options\winword.exe\Debugger
+  flat_name: registry.path
+  level: core
+  name: path
+  normalize: []
+  short: Full path, including hive, key and value
+  type: wildcard
+registry.value:
+  dashed_name: registry-value
+  description: Name of the value written.
+  example: Debugger
+  flat_name: registry.value
+  ignore_above: 1024
+  level: core
+  name: value
+  normalize: []
+  short: Name of the value written.
+  type: keyword
+related.hash:
+  dashed_name: related-hash
+  description: All the hashes seen on your event. Populating this field, then using
+    it to search for hashes can help in situations where you're unsure what the hash
+    algorithm is (and therefore which key name to search).
+  flat_name: related.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize:
+  - array
+  short: All the hashes seen on your event.
+  type: keyword
+related.hosts:
+  dashed_name: related-hosts
+  description: All hostnames or other host identifiers seen on your event. Example
+    identifiers include FQDNs, domain names, workstation names, or aliases.
+  flat_name: related.hosts
+  ignore_above: 1024
+  level: extended
+  name: hosts
+  normalize:
+  - array
+  short: All the host identifiers seen on your event.
+  type: keyword
+related.ip:
+  dashed_name: related-ip
+  description: All of the IPs seen on your event.
+  flat_name: related.ip
+  level: extended
+  name: ip
+  normalize:
+  - array
+  short: All of the IPs seen on your event.
+  type: ip
+related.user:
+  dashed_name: related-user
+  description: All the user names seen on your event.
+  flat_name: related.user
+  ignore_above: 1024
+  level: extended
+  name: user
+  normalize:
+  - array
+  short: All the user names seen on your event.
+  type: keyword
+rule.author:
+  dashed_name: rule-author
+  description: Name, organization, or pseudonym of the author or authors who created
+    the rule used to generate this event.
+  example: '["Star-Lord"]'
+  flat_name: rule.author
+  ignore_above: 1024
+  level: extended
+  name: author
+  normalize:
+  - array
+  short: Rule author
+  type: keyword
+rule.category:
+  dashed_name: rule-category
+  description: A categorization value keyword used by the entity using the rule for
+    detection of this event.
+  example: Attempted Information Leak
+  flat_name: rule.category
+  ignore_above: 1024
+  level: extended
+  name: category
+  normalize: []
+  short: Rule category
+  type: keyword
+rule.description:
+  dashed_name: rule-description
+  description: The description of the rule generating the event.
+  example: Block requests to public DNS over HTTPS / TLS protocols
+  flat_name: rule.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  short: Rule description
+  type: keyword
+rule.id:
+  dashed_name: rule-id
+  description: A rule ID that is unique within the scope of an agent, observer, or
+    other entity using the rule for detection of this event.
+  example: 101
+  flat_name: rule.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: Rule ID
+  type: keyword
+rule.license:
+  dashed_name: rule-license
+  description: Name of the license under which the rule used to generate this event
+    is made available.
+  example: Apache 2.0
+  flat_name: rule.license
+  ignore_above: 1024
+  level: extended
+  name: license
+  normalize: []
+  short: Rule license
+  type: keyword
+rule.name:
+  dashed_name: rule-name
+  description: The name of the rule or signature generating the event.
+  example: BLOCK_DNS_over_TLS
+  flat_name: rule.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Rule name
+  type: keyword
+rule.reference:
+  dashed_name: rule-reference
+  description: 'Reference URL to additional information about the rule used to generate
+    this event.
+
+    The URL can point to the vendor''s documentation about the rule. If that''s not
+    available, it can also be a link to a more general page describing this type of
+    alert.'
+  example: https://en.wikipedia.org/wiki/DNS_over_TLS
+  flat_name: rule.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: Rule reference URL
+  type: keyword
+rule.ruleset:
+  dashed_name: rule-ruleset
+  description: Name of the ruleset, policy, group, or parent category in which the
+    rule used to generate this event is a member.
+  example: Standard_Protocol_Filters
+  flat_name: rule.ruleset
+  ignore_above: 1024
+  level: extended
+  name: ruleset
+  normalize: []
+  short: Rule ruleset
+  type: keyword
+rule.uuid:
+  dashed_name: rule-uuid
+  description: A rule ID that is unique within the scope of a set or group of agents,
+    observers, or other entities using the rule for detection of this event.
+  example: 1100110011
+  flat_name: rule.uuid
+  ignore_above: 1024
+  level: extended
+  name: uuid
+  normalize: []
+  short: Rule UUID
+  type: keyword
+rule.version:
+  dashed_name: rule-version
+  description: The version / revision of the rule being used for analysis.
+  example: 1.1
+  flat_name: rule.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: Rule version
+  type: keyword
+server.address:
+  dashed_name: server-address
+  description: 'Some event server addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: server.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  short: Server network address.
+  type: keyword
+server.as.number:
+  dashed_name: server-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: server.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+server.as.organization.name:
+  dashed_name: server-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: server.as.organization.name
+  level: extended
+  multi_fields:
+  - flat_name: server.as.organization.name.text
+    name: text
+    norms: false
+    type: text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: wildcard
+server.bytes:
+  dashed_name: server-bytes
+  description: Bytes sent from the server to the client.
+  example: 184
+  flat_name: server.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  short: Bytes sent from the server to the client.
+  type: long
+server.domain:
+  dashed_name: server-domain
+  description: Server domain.
+  flat_name: server.domain
+  level: core
+  name: domain
+  normalize: []
+  short: Server domain.
+  type: wildcard
+server.geo.city_name:
+  dashed_name: server-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: server.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+server.geo.continent_name:
+  dashed_name: server-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: server.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+server.geo.country_iso_code:
+  dashed_name: server-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: server.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+server.geo.country_name:
+  dashed_name: server-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: server.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+server.geo.location:
+  dashed_name: server-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: server.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+server.geo.name:
+  dashed_name: server-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: server.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+server.geo.region_iso_code:
+  dashed_name: server-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: server.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+server.geo.region_name:
+  dashed_name: server-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: server.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+server.ip:
+  dashed_name: server-ip
+  description: IP address of the server (IPv4 or IPv6).
+  flat_name: server.ip
+  level: core
+  name: ip
+  normalize: []
+  short: IP address of the server.
+  type: ip
+server.mac:
+  dashed_name: server-mac
+  description: MAC address of the server.
+  flat_name: server.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  short: MAC address of the server.
+  type: keyword
+server.nat.ip:
+  dashed_name: server-nat-ip
+  description: 'Translated ip of destination based NAT sessions (e.g. internet to
+    private DMZ)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: server.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  short: Server NAT ip
+  type: ip
+server.nat.port:
+  dashed_name: server-nat-port
+  description: 'Translated port of destination based NAT sessions (e.g. internet to
+    private DMZ)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: server.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  short: Server NAT port
+  type: long
+server.packets:
+  dashed_name: server-packets
+  description: Packets sent from the server to the client.
+  example: 12
+  flat_name: server.packets
+  level: core
+  name: packets
+  normalize: []
+  short: Packets sent from the server to the client.
+  type: long
+server.port:
+  dashed_name: server-port
+  description: Port of the server.
+  flat_name: server.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  short: Port of the server.
+  type: long
+server.registered_domain:
+  dashed_name: server-registered-domain
+  description: 'The highest registered server domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: server.registered_domain
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered server domain, stripped of the subdomain.
+  type: wildcard
+server.subdomain:
+  dashed_name: server-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: server.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+server.top_level_domain:
+  dashed_name: server-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: server.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+server.user.domain:
+  dashed_name: server-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: server.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+server.user.email:
+  dashed_name: server-user-email
+  description: User email address.
+  flat_name: server.user.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+server.user.full_name:
+  dashed_name: server-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: server.user.full_name
+  level: extended
+  multi_fields:
+  - flat_name: server.user.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+server.user.group.domain:
+  dashed_name: server-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: server.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+server.user.group.id:
+  dashed_name: server-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: server.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+server.user.group.name:
+  dashed_name: server-user-group-name
+  description: Name of the group.
+  flat_name: server.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+server.user.hash:
+  dashed_name: server-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: server.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+server.user.id:
+  dashed_name: server-user-id
+  description: Unique identifier of the user.
+  flat_name: server.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+server.user.name:
+  dashed_name: server-user-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: server.user.name
+  level: core
+  multi_fields:
+  - flat_name: server.user.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+server.user.roles:
+  dashed_name: server-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: server.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+service.ephemeral_id:
+  dashed_name: service-ephemeral-id
+  description: 'Ephemeral identifier of this service (if one exists).
+
+    This id normally changes across restarts, but `service.id` does not.'
+  example: 8a4f500f
+  flat_name: service.ephemeral_id
+  ignore_above: 1024
+  level: extended
+  name: ephemeral_id
+  normalize: []
+  short: Ephemeral identifier of this service.
+  type: keyword
+service.id:
+  dashed_name: service-id
+  description: 'Unique identifier of the running service. If the service is comprised
+    of many nodes, the `service.id` should be the same for all nodes.
+
+    This id should uniquely identify the service. This makes it possible to correlate
+    logs and metrics for one specific service, no matter which particular node emitted
+    the event.
+
+    Note that if you need to see the events from one specific host of the service,
+    you should filter on that `host.name` or `host.id` instead.'
+  example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+  flat_name: service.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier of the running service.
+  type: keyword
+service.name:
+  dashed_name: service-name
+  description: 'Name of the service data is collected from.
+
+    The name of the service is normally user given. This allows for distributed services
+    that run on multiple hosts to correlate the related instances based on the name.
+
+    In the case of Elasticsearch the `service.name` could contain the cluster name.
+    For Beats the `service.name` is by default a copy of the `service.type` field
+    if no name is specified.'
+  example: elasticsearch-metrics
+  flat_name: service.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the service.
+  type: keyword
+service.node.name:
+  dashed_name: service-node-name
+  description: 'Name of a service node.
+
+    This allows for two nodes of the same service running on the same host to be differentiated.
+    Therefore, `service.node.name` should typically be unique across nodes of a given
+    service.
+
+    In the case of Elasticsearch, the `service.node.name` could contain the unique
+    node name within the Elasticsearch cluster. In cases where the service doesn''t
+    have the concept of a node name, the host name or container name can be used to
+    distinguish running instances that make up this service. If those do not provide
+    uniqueness (e.g. multiple instances of the service running on the same host) -
+    the node name can be manually set.'
+  example: instance-0000000016
+  flat_name: service.node.name
+  ignore_above: 1024
+  level: extended
+  name: node.name
+  normalize: []
+  short: Name of the service node.
+  type: keyword
+service.state:
+  dashed_name: service-state
+  description: Current state of the service.
+  flat_name: service.state
+  ignore_above: 1024
+  level: core
+  name: state
+  normalize: []
+  short: Current state of the service.
+  type: keyword
+service.type:
+  dashed_name: service-type
+  description: 'The type of the service data is collected from.
+
+    The type can be used to group and correlate logs and metrics from one service
+    type.
+
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would
+    be `elasticsearch`.'
+  example: elasticsearch
+  flat_name: service.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: The type of the service.
+  type: keyword
+service.version:
+  dashed_name: service-version
+  description: 'Version of the service the data was collected from.
+
+    This allows to look at a data set only for a specific version of a service.'
+  example: 3.2.4
+  flat_name: service.version
+  ignore_above: 1024
+  level: core
+  name: version
+  normalize: []
+  short: Version of the service.
+  type: keyword
+source.address:
+  dashed_name: source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  short: Source network address.
+  type: keyword
+source.as.number:
+  dashed_name: source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+source.as.organization.name:
+  dashed_name: source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: source.as.organization.name
+  level: extended
+  multi_fields:
+  - flat_name: source.as.organization.name.text
+    name: text
+    norms: false
+    type: text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: wildcard
+source.bytes:
+  dashed_name: source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  short: Bytes sent from the source to the destination.
+  type: long
+source.domain:
+  dashed_name: source-domain
+  description: Source domain.
+  flat_name: source.domain
+  level: core
+  name: domain
+  normalize: []
+  short: Source domain.
+  type: wildcard
+source.geo.city_name:
+  dashed_name: source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+source.geo.continent_name:
+  dashed_name: source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+source.geo.country_iso_code:
+  dashed_name: source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+source.geo.country_name:
+  dashed_name: source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+source.geo.location:
+  dashed_name: source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+source.geo.name:
+  dashed_name: source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: source.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+source.geo.region_iso_code:
+  dashed_name: source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+source.geo.region_name:
+  dashed_name: source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+source.ip:
+  dashed_name: source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: source.ip
+  level: core
+  name: ip
+  normalize: []
+  short: IP address of the source.
+  type: ip
+source.mac:
+  dashed_name: source-mac
+  description: MAC address of the source.
+  flat_name: source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  short: MAC address of the source.
+  type: keyword
+source.nat.ip:
+  dashed_name: source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  short: Source NAT ip
+  type: ip
+source.nat.port:
+  dashed_name: source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  short: Source NAT port
+  type: long
+source.packets:
+  dashed_name: source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: source.packets
+  level: core
+  name: packets
+  normalize: []
+  short: Packets sent from the source to the destination.
+  type: long
+source.port:
+  dashed_name: source-port
+  description: Port of the source.
+  flat_name: source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  short: Port of the source.
+  type: long
+source.registered_domain:
+  dashed_name: source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: source.registered_domain
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered source domain, stripped of the subdomain.
+  type: wildcard
+source.subdomain:
+  dashed_name: source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+source.top_level_domain:
+  dashed_name: source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+source.user.domain:
+  dashed_name: source-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: source.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+source.user.email:
+  dashed_name: source-user-email
+  description: User email address.
+  flat_name: source.user.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+source.user.full_name:
+  dashed_name: source-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: source.user.full_name
+  level: extended
+  multi_fields:
+  - flat_name: source.user.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+source.user.group.domain:
+  dashed_name: source-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: source.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+source.user.group.id:
+  dashed_name: source-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: source.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+source.user.group.name:
+  dashed_name: source-user-group-name
+  description: Name of the group.
+  flat_name: source.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+source.user.hash:
+  dashed_name: source-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: source.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+source.user.id:
+  dashed_name: source-user-id
+  description: Unique identifier of the user.
+  flat_name: source.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+source.user.name:
+  dashed_name: source-user-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: source.user.name
+  level: core
+  multi_fields:
+  - flat_name: source.user.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+source.user.roles:
+  dashed_name: source-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: source.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+span.id:
+  dashed_name: span-id
+  description: 'Unique identifier of the span within the scope of its trace.
+
+    A span represents an operation within a transaction, such as a request to another
+    service, or a database query.'
+  example: 3ff9a8981b7ccd5a
+  flat_name: span.id
+  ignore_above: 1024
+  level: extended
+  name: span.id
+  normalize: []
+  short: Unique identifier of the span within the scope of its trace.
+  type: keyword
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
+threat.framework:
+  dashed_name: threat-framework
+  description: Name of the threat framework used to further categorize and classify
+    the tactic and technique of the reported threat. Framework classification can
+    be provided by detecting systems, evaluated at ingest time, or retrospectively
+    tagged to events.
+  example: MITRE ATT&CK
+  flat_name: threat.framework
+  ignore_above: 1024
+  level: extended
+  name: framework
+  normalize: []
+  short: Threat classification framework.
+  type: keyword
+threat.tactic.id:
+  dashed_name: threat-tactic-id
+  description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
+    \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+  example: TA0002
+  flat_name: threat.tactic.id
+  ignore_above: 1024
+  level: extended
+  name: tactic.id
+  normalize:
+  - array
+  short: Threat tactic id.
+  type: keyword
+threat.tactic.name:
+  dashed_name: threat-tactic-name
+  description: "Name of the type of tactic used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+  example: Execution
+  flat_name: threat.tactic.name
+  ignore_above: 1024
+  level: extended
+  name: tactic.name
+  normalize:
+  - array
+  short: Threat tactic.
+  type: keyword
+threat.tactic.reference:
+  dashed_name: threat-tactic-reference
+  description: "The reference url of tactic used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
+    \ )"
+  example: https://attack.mitre.org/tactics/TA0002/
+  flat_name: threat.tactic.reference
+  ignore_above: 1024
+  level: extended
+  name: tactic.reference
+  normalize:
+  - array
+  short: Threat tactic URL reference.
+  type: keyword
+threat.technique.id:
+  dashed_name: threat-technique-id
+  description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+  example: T1059
+  flat_name: threat.technique.id
+  ignore_above: 1024
+  level: extended
+  name: technique.id
+  normalize:
+  - array
+  short: Threat technique id.
+  type: keyword
+threat.technique.name:
+  dashed_name: threat-technique-name
+  description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+  example: Command and Scripting Interpreter
+  flat_name: threat.technique.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: threat.technique.name.text
+    name: text
+    norms: false
+    type: text
+  name: technique.name
+  normalize:
+  - array
+  short: Threat technique name.
+  type: keyword
+threat.technique.reference:
+  dashed_name: threat-technique-reference
+  description: "The reference url of technique used by this threat. You can use a\
+    \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+  example: https://attack.mitre.org/techniques/T1059/
+  flat_name: threat.technique.reference
+  ignore_above: 1024
+  level: extended
+  name: technique.reference
+  normalize:
+  - array
+  short: Threat technique URL reference.
+  type: keyword
+threat.technique.subtechnique.id:
+  dashed_name: threat-technique-subtechnique-id
+  description: "The full id of subtechnique used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+  example: T1059.001
+  flat_name: threat.technique.subtechnique.id
+  ignore_above: 1024
+  level: extended
+  name: technique.subtechnique.id
+  normalize:
+  - array
+  short: Threat subtechnique id.
+  type: keyword
+threat.technique.subtechnique.name:
+  dashed_name: threat-technique-subtechnique-name
+  description: "The name of subtechnique used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+  example: PowerShell
+  flat_name: threat.technique.subtechnique.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: threat.technique.subtechnique.name.text
+    name: text
+    norms: false
+    type: text
+  name: technique.subtechnique.name
+  normalize:
+  - array
+  short: Threat subtechnique name.
+  type: keyword
+threat.technique.subtechnique.reference:
+  dashed_name: threat-technique-subtechnique-reference
+  description: "The reference url of subtechnique used by this threat. You can use\
+    \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+  example: https://attack.mitre.org/techniques/T1059/001/
+  flat_name: threat.technique.subtechnique.reference
+  ignore_above: 1024
+  level: extended
+  name: technique.subtechnique.reference
+  normalize:
+  - array
+  short: Threat subtechnique URL reference.
+  type: keyword
+tls.cipher:
+  dashed_name: tls-cipher
+  description: String indicating the cipher used during the current connection.
+  example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  flat_name: tls.cipher
+  ignore_above: 1024
+  level: extended
+  name: cipher
+  normalize: []
+  short: String indicating the cipher used during the current connection.
+  type: keyword
+tls.client.certificate:
+  dashed_name: tls-client-certificate
+  description: PEM-encoded stand-alone certificate offered by the client. This is
+    usually mutually-exclusive of `client.certificate_chain` since this value also
+    exists in that list.
+  example: MII...
+  flat_name: tls.client.certificate
+  ignore_above: 1024
+  level: extended
+  name: client.certificate
+  normalize: []
+  short: PEM-encoded stand-alone certificate offered by the client.
+  type: keyword
+tls.client.certificate_chain:
+  dashed_name: tls-client-certificate-chain
+  description: Array of PEM-encoded certificates that make up the certificate chain
+    offered by the client. This is usually mutually-exclusive of `client.certificate`
+    since that value should be the first certificate in the chain.
+  example: '["MII...", "MII..."]'
+  flat_name: tls.client.certificate_chain
+  ignore_above: 1024
+  level: extended
+  name: client.certificate_chain
+  normalize:
+  - array
+  short: Array of PEM-encoded certificates that make up the certificate chain offered
+    by the client.
+  type: keyword
+tls.client.hash.md5:
+  dashed_name: tls-client-hash-md5
+  description: Certificate fingerprint using the MD5 digest of DER-encoded version
+    of certificate offered by the client. For consistency with other hash values,
+    this value should be formatted as an uppercase hash.
+  example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+  flat_name: tls.client.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: client.hash.md5
+  normalize: []
+  short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate
+    offered by the client.
+  type: keyword
+tls.client.hash.sha1:
+  dashed_name: tls-client-hash-sha1
+  description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+    of certificate offered by the client. For consistency with other hash values,
+    this value should be formatted as an uppercase hash.
+  example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+  flat_name: tls.client.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: client.hash.sha1
+  normalize: []
+  short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate
+    offered by the client.
+  type: keyword
+tls.client.hash.sha256:
+  dashed_name: tls-client-hash-sha256
+  description: Certificate fingerprint using the SHA256 digest of DER-encoded version
+    of certificate offered by the client. For consistency with other hash values,
+    this value should be formatted as an uppercase hash.
+  example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+  flat_name: tls.client.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: client.hash.sha256
+  normalize: []
+  short: Certificate fingerprint using the SHA256 digest of DER-encoded version of
+    certificate offered by the client.
+  type: keyword
+tls.client.issuer:
+  dashed_name: tls-client-issuer
+  description: Distinguished name of subject of the issuer of the x.509 certificate
+    presented by the client.
+  example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+  flat_name: tls.client.issuer
+  level: extended
+  name: client.issuer
+  normalize: []
+  short: Distinguished name of subject of the issuer of the x.509 certificate presented
+    by the client.
+  type: wildcard
+tls.client.ja3:
+  dashed_name: tls-client-ja3
+  description: A hash that identifies clients based on how they perform an SSL/TLS
+    handshake.
+  example: d4e5b18d6b55c71272893221c96ba240
+  flat_name: tls.client.ja3
+  ignore_above: 1024
+  level: extended
+  name: client.ja3
+  normalize: []
+  short: A hash that identifies clients based on how they perform an SSL/TLS handshake.
+  type: keyword
+tls.client.not_after:
+  dashed_name: tls-client-not-after
+  description: Date/Time indicating when client certificate is no longer considered
+    valid.
+  example: '2021-01-01T00:00:00.000Z'
+  flat_name: tls.client.not_after
+  level: extended
+  name: client.not_after
+  normalize: []
+  short: Date/Time indicating when client certificate is no longer considered valid.
+  type: date
+tls.client.not_before:
+  dashed_name: tls-client-not-before
+  description: Date/Time indicating when client certificate is first considered valid.
+  example: '1970-01-01T00:00:00.000Z'
+  flat_name: tls.client.not_before
+  level: extended
+  name: client.not_before
+  normalize: []
+  short: Date/Time indicating when client certificate is first considered valid.
+  type: date
+tls.client.server_name:
+  dashed_name: tls-client-server-name
+  description: Also called an SNI, this tells the server which hostname to which the
+    client is attempting to connect to. When this value is available, it should get
+    copied to `destination.domain`.
+  example: www.elastic.co
+  flat_name: tls.client.server_name
+  ignore_above: 1024
+  level: extended
+  name: client.server_name
+  normalize: []
+  short: Hostname the client is trying to connect to. Also called the SNI.
+  type: keyword
+tls.client.subject:
+  dashed_name: tls-client-subject
+  description: Distinguished name of subject of the x.509 certificate presented by
+    the client.
+  example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+  flat_name: tls.client.subject
+  level: extended
+  name: client.subject
+  normalize: []
+  short: Distinguished name of subject of the x.509 certificate presented by the client.
+  type: wildcard
+tls.client.supported_ciphers:
+  dashed_name: tls-client-supported-ciphers
+  description: Array of ciphers offered by the client during the client hello.
+  example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "..."]'
+  flat_name: tls.client.supported_ciphers
+  ignore_above: 1024
+  level: extended
+  name: client.supported_ciphers
+  normalize:
+  - array
+  short: Array of ciphers offered by the client during the client hello.
+  type: keyword
+tls.client.x509.alternative_names:
+  dashed_name: tls-client-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: tls.client.x509.alternative_names
+  ignore_above: 1024
+  level: extended
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
+  type: keyword
+tls.client.x509.issuer.common_name:
+  dashed_name: tls-client-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: tls.client.x509.issuer.common_name
+  ignore_above: 1024
+  level: extended
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
+  type: keyword
+tls.client.x509.issuer.country:
+  dashed_name: tls-client-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: tls.client.x509.issuer.country
+  ignore_above: 1024
+  level: extended
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
+  type: keyword
+tls.client.x509.issuer.distinguished_name:
+  dashed_name: tls-client-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: tls.client.x509.issuer.distinguished_name
+  level: extended
+  name: issuer.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
+  type: wildcard
+tls.client.x509.issuer.locality:
+  dashed_name: tls-client-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: tls.client.x509.issuer.locality
+  ignore_above: 1024
+  level: extended
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+tls.client.x509.issuer.organization:
+  dashed_name: tls-client-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: tls.client.x509.issuer.organization
+  ignore_above: 1024
+  level: extended
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
+  type: keyword
+tls.client.x509.issuer.organizational_unit:
+  dashed_name: tls-client-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: tls.client.x509.issuer.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
+  type: keyword
+tls.client.x509.issuer.state_or_province:
+  dashed_name: tls-client-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: tls.client.x509.issuer.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+tls.client.x509.not_after:
+  dashed_name: tls-client-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: tls.client.x509.not_after
+  level: extended
+  name: not_after
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
+  type: date
+tls.client.x509.not_before:
+  dashed_name: tls-client-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: tls.client.x509.not_before
+  level: extended
+  name: not_before
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
+  type: date
+tls.client.x509.public_key_algorithm:
+  dashed_name: tls-client-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: tls.client.x509.public_key_algorithm
+  ignore_above: 1024
+  level: extended
+  name: public_key_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
+  type: keyword
+tls.client.x509.public_key_curve:
+  dashed_name: tls-client-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: tls.client.x509.public_key_curve
+  ignore_above: 1024
+  level: extended
+  name: public_key_curve
+  normalize: []
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
+  type: keyword
+tls.client.x509.public_key_exponent:
+  dashed_name: tls-client-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: tls.client.x509.public_key_exponent
+  index: false
+  level: extended
+  name: public_key_exponent
+  normalize: []
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+tls.client.x509.public_key_size:
+  dashed_name: tls-client-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: tls.client.x509.public_key_size
+  level: extended
+  name: public_key_size
+  normalize: []
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+tls.client.x509.serial_number:
+  dashed_name: tls-client-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: tls.client.x509.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
+  type: keyword
+tls.client.x509.signature_algorithm:
+  dashed_name: tls-client-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: tls.client.x509.signature_algorithm
+  ignore_above: 1024
+  level: extended
+  name: signature_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
+  type: keyword
+tls.client.x509.subject.common_name:
+  dashed_name: tls-client-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: tls.client.x509.subject.common_name
+  ignore_above: 1024
+  level: extended
+  name: subject.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
+  type: keyword
+tls.client.x509.subject.country:
+  dashed_name: tls-client-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: tls.client.x509.subject.country
+  ignore_above: 1024
+  level: extended
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
+  type: keyword
+tls.client.x509.subject.distinguished_name:
+  dashed_name: tls-client-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: tls.client.x509.subject.distinguished_name
+  level: extended
+  name: subject.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
+  type: wildcard
+tls.client.x509.subject.locality:
+  dashed_name: tls-client-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: tls.client.x509.subject.locality
+  ignore_above: 1024
+  level: extended
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+tls.client.x509.subject.organization:
+  dashed_name: tls-client-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: tls.client.x509.subject.organization
+  ignore_above: 1024
+  level: extended
+  name: subject.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
+  type: keyword
+tls.client.x509.subject.organizational_unit:
+  dashed_name: tls-client-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: tls.client.x509.subject.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
+  type: keyword
+tls.client.x509.subject.state_or_province:
+  dashed_name: tls-client-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: tls.client.x509.subject.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+tls.client.x509.version_number:
+  dashed_name: tls-client-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: tls.client.x509.version_number
+  ignore_above: 1024
+  level: extended
+  name: version_number
+  normalize: []
+  original_fieldset: x509
+  short: Version of x509 format.
+  type: keyword
+tls.curve:
+  dashed_name: tls-curve
+  description: String indicating the curve used for the given cipher, when applicable.
+  example: secp256r1
+  flat_name: tls.curve
+  ignore_above: 1024
+  level: extended
+  name: curve
+  normalize: []
+  short: String indicating the curve used for the given cipher, when applicable.
+  type: keyword
+tls.established:
+  dashed_name: tls-established
+  description: Boolean flag indicating if the TLS negotiation was successful and transitioned
+    to an encrypted tunnel.
+  flat_name: tls.established
+  level: extended
+  name: established
+  normalize: []
+  short: Boolean flag indicating if the TLS negotiation was successful and transitioned
+    to an encrypted tunnel.
+  type: boolean
+tls.next_protocol:
+  dashed_name: tls-next-protocol
+  description: String indicating the protocol being tunneled. Per the values in the
+    IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
+    this string should be lower case.
+  example: http/1.1
+  flat_name: tls.next_protocol
+  ignore_above: 1024
+  level: extended
+  name: next_protocol
+  normalize: []
+  short: String indicating the protocol being tunneled.
+  type: keyword
+tls.resumed:
+  dashed_name: tls-resumed
+  description: Boolean flag indicating if this TLS connection was resumed from an
+    existing TLS negotiation.
+  flat_name: tls.resumed
+  level: extended
+  name: resumed
+  normalize: []
+  short: Boolean flag indicating if this TLS connection was resumed from an existing
+    TLS negotiation.
+  type: boolean
+tls.server.certificate:
+  dashed_name: tls-server-certificate
+  description: PEM-encoded stand-alone certificate offered by the server. This is
+    usually mutually-exclusive of `server.certificate_chain` since this value also
+    exists in that list.
+  example: MII...
+  flat_name: tls.server.certificate
+  ignore_above: 1024
+  level: extended
+  name: server.certificate
+  normalize: []
+  short: PEM-encoded stand-alone certificate offered by the server.
+  type: keyword
+tls.server.certificate_chain:
+  dashed_name: tls-server-certificate-chain
+  description: Array of PEM-encoded certificates that make up the certificate chain
+    offered by the server. This is usually mutually-exclusive of `server.certificate`
+    since that value should be the first certificate in the chain.
+  example: '["MII...", "MII..."]'
+  flat_name: tls.server.certificate_chain
+  ignore_above: 1024
+  level: extended
+  name: server.certificate_chain
+  normalize:
+  - array
+  short: Array of PEM-encoded certificates that make up the certificate chain offered
+    by the server.
+  type: keyword
+tls.server.hash.md5:
+  dashed_name: tls-server-hash-md5
+  description: Certificate fingerprint using the MD5 digest of DER-encoded version
+    of certificate offered by the server. For consistency with other hash values,
+    this value should be formatted as an uppercase hash.
+  example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+  flat_name: tls.server.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: server.hash.md5
+  normalize: []
+  short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate
+    offered by the server.
+  type: keyword
+tls.server.hash.sha1:
+  dashed_name: tls-server-hash-sha1
+  description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+    of certificate offered by the server. For consistency with other hash values,
+    this value should be formatted as an uppercase hash.
+  example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+  flat_name: tls.server.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: server.hash.sha1
+  normalize: []
+  short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate
+    offered by the server.
+  type: keyword
+tls.server.hash.sha256:
+  dashed_name: tls-server-hash-sha256
+  description: Certificate fingerprint using the SHA256 digest of DER-encoded version
+    of certificate offered by the server. For consistency with other hash values,
+    this value should be formatted as an uppercase hash.
+  example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+  flat_name: tls.server.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: server.hash.sha256
+  normalize: []
+  short: Certificate fingerprint using the SHA256 digest of DER-encoded version of
+    certificate offered by the server.
+  type: keyword
+tls.server.issuer:
+  dashed_name: tls-server-issuer
+  description: Subject of the issuer of the x.509 certificate presented by the server.
+  example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+  flat_name: tls.server.issuer
+  level: extended
+  name: server.issuer
+  normalize: []
+  short: Subject of the issuer of the x.509 certificate presented by the server.
+  type: wildcard
+tls.server.ja3s:
+  dashed_name: tls-server-ja3s
+  description: A hash that identifies servers based on how they perform an SSL/TLS
+    handshake.
+  example: 394441ab65754e2207b1e1b457b3641d
+  flat_name: tls.server.ja3s
+  ignore_above: 1024
+  level: extended
+  name: server.ja3s
+  normalize: []
+  short: A hash that identifies servers based on how they perform an SSL/TLS handshake.
+  type: keyword
+tls.server.not_after:
+  dashed_name: tls-server-not-after
+  description: Timestamp indicating when server certificate is no longer considered
+    valid.
+  example: '2021-01-01T00:00:00.000Z'
+  flat_name: tls.server.not_after
+  level: extended
+  name: server.not_after
+  normalize: []
+  short: Timestamp indicating when server certificate is no longer considered valid.
+  type: date
+tls.server.not_before:
+  dashed_name: tls-server-not-before
+  description: Timestamp indicating when server certificate is first considered valid.
+  example: '1970-01-01T00:00:00.000Z'
+  flat_name: tls.server.not_before
+  level: extended
+  name: server.not_before
+  normalize: []
+  short: Timestamp indicating when server certificate is first considered valid.
+  type: date
+tls.server.subject:
+  dashed_name: tls-server-subject
+  description: Subject of the x.509 certificate presented by the server.
+  example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+  flat_name: tls.server.subject
+  level: extended
+  name: server.subject
+  normalize: []
+  short: Subject of the x.509 certificate presented by the server.
+  type: wildcard
+tls.server.x509.alternative_names:
+  dashed_name: tls-server-x509-alternative-names
+  description: List of subject alternative names (SAN). Name types vary by certificate
+    authority and certificate type but commonly contain IP addresses, DNS names (and
+    wildcards), and email addresses.
+  example: '*.elastic.co'
+  flat_name: tls.server.x509.alternative_names
+  ignore_above: 1024
+  level: extended
+  name: alternative_names
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of subject alternative names (SAN).
+  type: keyword
+tls.server.x509.issuer.common_name:
+  dashed_name: tls-server-x509-issuer-common-name
+  description: List of common name (CN) of issuing certificate authority.
+  example: Example SHA2 High Assurance Server CA
+  flat_name: tls.server.x509.issuer.common_name
+  ignore_above: 1024
+  level: extended
+  name: issuer.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common name (CN) of issuing certificate authority.
+  type: keyword
+tls.server.x509.issuer.country:
+  dashed_name: tls-server-x509-issuer-country
+  description: List of country (C) codes
+  example: US
+  flat_name: tls.server.x509.issuer.country
+  ignore_above: 1024
+  level: extended
+  name: issuer.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) codes
+  type: keyword
+tls.server.x509.issuer.distinguished_name:
+  dashed_name: tls-server-x509-issuer-distinguished-name
+  description: Distinguished name (DN) of issuing certificate authority.
+  example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+    Server CA
+  flat_name: tls.server.x509.issuer.distinguished_name
+  level: extended
+  name: issuer.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of issuing certificate authority.
+  type: wildcard
+tls.server.x509.issuer.locality:
+  dashed_name: tls-server-x509-issuer-locality
+  description: List of locality names (L)
+  example: Mountain View
+  flat_name: tls.server.x509.issuer.locality
+  ignore_above: 1024
+  level: extended
+  name: issuer.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+tls.server.x509.issuer.organization:
+  dashed_name: tls-server-x509-issuer-organization
+  description: List of organizations (O) of issuing certificate authority.
+  example: Example Inc
+  flat_name: tls.server.x509.issuer.organization
+  ignore_above: 1024
+  level: extended
+  name: issuer.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of issuing certificate authority.
+  type: keyword
+tls.server.x509.issuer.organizational_unit:
+  dashed_name: tls-server-x509-issuer-organizational-unit
+  description: List of organizational units (OU) of issuing certificate authority.
+  example: www.example.com
+  flat_name: tls.server.x509.issuer.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: issuer.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of issuing certificate authority.
+  type: keyword
+tls.server.x509.issuer.state_or_province:
+  dashed_name: tls-server-x509-issuer-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: tls.server.x509.issuer.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: issuer.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+tls.server.x509.not_after:
+  dashed_name: tls-server-x509-not-after
+  description: Time at which the certificate is no longer considered valid.
+  example: 2020-07-16 03:15:39+00:00
+  flat_name: tls.server.x509.not_after
+  level: extended
+  name: not_after
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is no longer considered valid.
+  type: date
+tls.server.x509.not_before:
+  dashed_name: tls-server-x509-not-before
+  description: Time at which the certificate is first considered valid.
+  example: 2019-08-16 01:40:25+00:00
+  flat_name: tls.server.x509.not_before
+  level: extended
+  name: not_before
+  normalize: []
+  original_fieldset: x509
+  short: Time at which the certificate is first considered valid.
+  type: date
+tls.server.x509.public_key_algorithm:
+  dashed_name: tls-server-x509-public-key-algorithm
+  description: Algorithm used to generate the public key.
+  example: RSA
+  flat_name: tls.server.x509.public_key_algorithm
+  ignore_above: 1024
+  level: extended
+  name: public_key_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Algorithm used to generate the public key.
+  type: keyword
+tls.server.x509.public_key_curve:
+  dashed_name: tls-server-x509-public-key-curve
+  description: The curve used by the elliptic curve public key algorithm. This is
+    algorithm specific.
+  example: nistp521
+  flat_name: tls.server.x509.public_key_curve
+  ignore_above: 1024
+  level: extended
+  name: public_key_curve
+  normalize: []
+  original_fieldset: x509
+  short: The curve used by the elliptic curve public key algorithm. This is algorithm
+    specific.
+  type: keyword
+tls.server.x509.public_key_exponent:
+  dashed_name: tls-server-x509-public-key-exponent
+  description: Exponent used to derive the public key. This is algorithm specific.
+  doc_values: false
+  example: 65537
+  flat_name: tls.server.x509.public_key_exponent
+  index: false
+  level: extended
+  name: public_key_exponent
+  normalize: []
+  original_fieldset: x509
+  short: Exponent used to derive the public key. This is algorithm specific.
+  type: long
+tls.server.x509.public_key_size:
+  dashed_name: tls-server-x509-public-key-size
+  description: The size of the public key space in bits.
+  example: 2048
+  flat_name: tls.server.x509.public_key_size
+  level: extended
+  name: public_key_size
+  normalize: []
+  original_fieldset: x509
+  short: The size of the public key space in bits.
+  type: long
+tls.server.x509.serial_number:
+  dashed_name: tls-server-x509-serial-number
+  description: Unique serial number issued by the certificate authority. For consistency,
+    if this value is alphanumeric, it should be formatted without colons and uppercase
+    characters.
+  example: 55FBB9C7DEBF09809D12CCAA
+  flat_name: tls.server.x509.serial_number
+  ignore_above: 1024
+  level: extended
+  name: serial_number
+  normalize: []
+  original_fieldset: x509
+  short: Unique serial number issued by the certificate authority.
+  type: keyword
+tls.server.x509.signature_algorithm:
+  dashed_name: tls-server-x509-signature-algorithm
+  description: Identifier for certificate signature algorithm. We recommend using
+    names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+  example: SHA256-RSA
+  flat_name: tls.server.x509.signature_algorithm
+  ignore_above: 1024
+  level: extended
+  name: signature_algorithm
+  normalize: []
+  original_fieldset: x509
+  short: Identifier for certificate signature algorithm.
+  type: keyword
+tls.server.x509.subject.common_name:
+  dashed_name: tls-server-x509-subject-common-name
+  description: List of common names (CN) of subject.
+  example: shared.global.example.net
+  flat_name: tls.server.x509.subject.common_name
+  ignore_above: 1024
+  level: extended
+  name: subject.common_name
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of common names (CN) of subject.
+  type: keyword
+tls.server.x509.subject.country:
+  dashed_name: tls-server-x509-subject-country
+  description: List of country (C) code
+  example: US
+  flat_name: tls.server.x509.subject.country
+  ignore_above: 1024
+  level: extended
+  name: subject.country
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of country (C) code
+  type: keyword
+tls.server.x509.subject.distinguished_name:
+  dashed_name: tls-server-x509-subject-distinguished-name
+  description: Distinguished name (DN) of the certificate subject entity.
+  example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+  flat_name: tls.server.x509.subject.distinguished_name
+  level: extended
+  name: subject.distinguished_name
+  normalize: []
+  original_fieldset: x509
+  short: Distinguished name (DN) of the certificate subject entity.
+  type: wildcard
+tls.server.x509.subject.locality:
+  dashed_name: tls-server-x509-subject-locality
+  description: List of locality names (L)
+  example: San Francisco
+  flat_name: tls.server.x509.subject.locality
+  ignore_above: 1024
+  level: extended
+  name: subject.locality
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of locality names (L)
+  type: keyword
+tls.server.x509.subject.organization:
+  dashed_name: tls-server-x509-subject-organization
+  description: List of organizations (O) of subject.
+  example: Example, Inc.
+  flat_name: tls.server.x509.subject.organization
+  ignore_above: 1024
+  level: extended
+  name: subject.organization
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizations (O) of subject.
+  type: keyword
+tls.server.x509.subject.organizational_unit:
+  dashed_name: tls-server-x509-subject-organizational-unit
+  description: List of organizational units (OU) of subject.
+  flat_name: tls.server.x509.subject.organizational_unit
+  ignore_above: 1024
+  level: extended
+  name: subject.organizational_unit
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of organizational units (OU) of subject.
+  type: keyword
+tls.server.x509.subject.state_or_province:
+  dashed_name: tls-server-x509-subject-state-or-province
+  description: List of state or province names (ST, S, or P)
+  example: California
+  flat_name: tls.server.x509.subject.state_or_province
+  ignore_above: 1024
+  level: extended
+  name: subject.state_or_province
+  normalize:
+  - array
+  original_fieldset: x509
+  short: List of state or province names (ST, S, or P)
+  type: keyword
+tls.server.x509.version_number:
+  dashed_name: tls-server-x509-version-number
+  description: Version of x509 format.
+  example: 3
+  flat_name: tls.server.x509.version_number
+  ignore_above: 1024
+  level: extended
+  name: version_number
+  normalize: []
+  original_fieldset: x509
+  short: Version of x509 format.
+  type: keyword
+tls.version:
+  dashed_name: tls-version
+  description: Numeric part of the version parsed from the original string.
+  example: '1.2'
+  flat_name: tls.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: Numeric part of the version parsed from the original string.
+  type: keyword
+tls.version_protocol:
+  dashed_name: tls-version-protocol
+  description: Normalized lowercase protocol name parsed from original string.
+  example: tls
+  flat_name: tls.version_protocol
+  ignore_above: 1024
+  level: extended
+  name: version_protocol
+  normalize: []
+  short: Normalized lowercase protocol name parsed from original string.
+  type: keyword
+trace.id:
+  dashed_name: trace-id
+  description: 'Unique identifier of the trace.
+
+    A trace groups multiple events like transactions that belong together. For example,
+    a user request handled by multiple inter-connected services.'
+  example: 4bf92f3577b34da6a3ce929d0e0e4736
+  flat_name: trace.id
+  ignore_above: 1024
+  level: extended
+  name: trace.id
+  normalize: []
+  short: Unique identifier of the trace.
+  type: keyword
+transaction.id:
+  dashed_name: transaction-id
+  description: 'Unique identifier of the transaction within the scope of its trace.
+
+    A transaction is the highest level of work measured within a service, such as
+    a request to a server.'
+  example: 00f067aa0ba902b7
+  flat_name: transaction.id
+  ignore_above: 1024
+  level: extended
+  name: transaction.id
+  normalize: []
+  short: Unique identifier of the transaction within the scope of its trace.
+  type: keyword
+url.domain:
+  dashed_name: url-domain
+  description: 'Domain of the url, such as "www.elastic.co".
+
+    In some cases a URL may refer to an IP and/or port directly, without a domain
+    name. In this case, the IP address would go to the `domain` field.'
+  example: www.elastic.co
+  flat_name: url.domain
+  level: extended
+  name: domain
+  normalize: []
+  short: Domain of the url.
+  type: wildcard
+url.extension:
+  dashed_name: url-extension
+  description: 'The field contains the file extension from the original request url.
+
+    The file extension is only set if it exists, as not every url has a file extension.
+
+    The leading period must not be included. For example, the value must be "png",
+    not ".png".'
+  example: png
+  flat_name: url.extension
+  ignore_above: 1024
+  level: extended
+  name: extension
+  normalize: []
+  short: File extension from the original request url.
+  type: keyword
+url.fragment:
+  dashed_name: url-fragment
+  description: 'Portion of the url after the `#`, such as "top".
+
+    The `#` is not part of the fragment.'
+  flat_name: url.fragment
+  ignore_above: 1024
+  level: extended
+  name: fragment
+  normalize: []
+  short: Portion of the url after the `#`.
+  type: keyword
+url.full:
+  dashed_name: url-full
+  description: If full URLs are important to your use case, they should be stored
+    in `url.full`, whether this field is reconstructed or present in the event source.
+  example: https://www.elastic.co:443/search?q=elasticsearch#top
+  flat_name: url.full
+  level: extended
+  multi_fields:
+  - flat_name: url.full.text
+    name: text
+    norms: false
+    type: text
+  name: full
+  normalize: []
+  short: Full unparsed URL.
+  type: wildcard
+url.original:
+  dashed_name: url-original
+  description: 'Unmodified original url as seen in the event source.
+
+    Note that in network monitoring, the observed URL may be a full URL, whereas in
+    access logs, the URL is often just represented as a path.
+
+    This field is meant to represent the URL as it was observed, complete or not.'
+  example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  flat_name: url.original
+  level: extended
+  multi_fields:
+  - flat_name: url.original.text
+    name: text
+    norms: false
+    type: text
+  name: original
+  normalize: []
+  short: Unmodified original url as seen in the event source.
+  type: wildcard
+url.password:
+  dashed_name: url-password
+  description: Password of the request.
+  flat_name: url.password
+  ignore_above: 1024
+  level: extended
+  name: password
+  normalize: []
+  short: Password of the request.
+  type: keyword
+url.path:
+  dashed_name: url-path
+  description: Path of the request, such as "/search".
+  flat_name: url.path
+  level: extended
+  name: path
+  normalize: []
+  short: Path of the request, such as "/search".
+  type: wildcard
+url.port:
+  dashed_name: url-port
+  description: Port of the request, such as 443.
+  example: 443
+  flat_name: url.port
+  format: string
+  level: extended
+  name: port
+  normalize: []
+  short: Port of the request, such as 443.
+  type: long
+url.query:
+  dashed_name: url-query
+  description: 'The query field describes the query string of the request, such as
+    "q=elasticsearch".
+
+    The `?` is excluded from the query string. If a URL contains no `?`, there is
+    no query field. If there is a `?` but no query, the query field exists with an
+    empty string. The `exists` query can be used to differentiate between the two
+    cases.'
+  flat_name: url.query
+  ignore_above: 1024
+  level: extended
+  name: query
+  normalize: []
+  short: Query string of the request.
+  type: keyword
+url.registered_domain:
+  dashed_name: url-registered-domain
+  description: 'The highest registered url domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: url.registered_domain
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered url domain, stripped of the subdomain.
+  type: wildcard
+url.scheme:
+  dashed_name: url-scheme
+  description: 'Scheme of the request, such as "https".
+
+    Note: The `:` is not part of the scheme.'
+  example: https
+  flat_name: url.scheme
+  ignore_above: 1024
+  level: extended
+  name: scheme
+  normalize: []
+  short: Scheme of the url.
+  type: keyword
+url.subdomain:
+  dashed_name: url-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: url.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+url.top_level_domain:
+  dashed_name: url-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: url.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+url.username:
+  dashed_name: url-username
+  description: Username of the request.
+  flat_name: url.username
+  ignore_above: 1024
+  level: extended
+  name: username
+  normalize: []
+  short: Username of the request.
+  type: keyword
+user.changes.domain:
+  dashed_name: user-changes-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.changes.email:
+  dashed_name: user-changes-email
+  description: User email address.
+  flat_name: user.changes.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+user.changes.full_name:
+  dashed_name: user-changes-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.changes.full_name
+  level: extended
+  multi_fields:
+  - flat_name: user.changes.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+user.changes.group.domain:
+  dashed_name: user-changes-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.changes.group.id:
+  dashed_name: user-changes-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.changes.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.changes.group.name:
+  dashed_name: user-changes-group-name
+  description: Name of the group.
+  flat_name: user.changes.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.changes.hash:
+  dashed_name: user-changes-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.changes.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.changes.id:
+  dashed_name: user-changes-id
+  description: Unique identifier of the user.
+  flat_name: user.changes.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.changes.name:
+  dashed_name: user-changes-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.changes.name
+  level: core
+  multi_fields:
+  - flat_name: user.changes.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+user.changes.roles:
+  dashed_name: user-changes-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.changes.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+user.domain:
+  dashed_name: user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.effective.domain:
+  dashed_name: user-effective-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.effective.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.effective.email:
+  dashed_name: user-effective-email
+  description: User email address.
+  flat_name: user.effective.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+user.effective.full_name:
+  dashed_name: user-effective-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.effective.full_name
+  level: extended
+  multi_fields:
+  - flat_name: user.effective.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+user.effective.group.domain:
+  dashed_name: user-effective-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.effective.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.effective.group.id:
+  dashed_name: user-effective-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.effective.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.effective.group.name:
+  dashed_name: user-effective-group-name
+  description: Name of the group.
+  flat_name: user.effective.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.effective.hash:
+  dashed_name: user-effective-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.effective.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.effective.id:
+  dashed_name: user-effective-id
+  description: Unique identifier of the user.
+  flat_name: user.effective.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.effective.name:
+  dashed_name: user-effective-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.effective.name
+  level: core
+  multi_fields:
+  - flat_name: user.effective.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+user.effective.roles:
+  dashed_name: user-effective-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.effective.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+user.email:
+  dashed_name: user-email
+  description: User email address.
+  flat_name: user.email
+  level: extended
+  name: email
+  normalize: []
+  short: User email address.
+  type: wildcard
+user.full_name:
+  dashed_name: user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.full_name
+  level: extended
+  multi_fields:
+  - flat_name: user.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  short: User's full name, if available.
+  type: wildcard
+user.group.domain:
+  dashed_name: user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.group.id:
+  dashed_name: user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.group.name:
+  dashed_name: user-group-name
+  description: Name of the group.
+  flat_name: user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.hash:
+  dashed_name: user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.id:
+  dashed_name: user-id
+  description: Unique identifier of the user.
+  flat_name: user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier of the user.
+  type: keyword
+user.name:
+  dashed_name: user-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.name
+  level: core
+  multi_fields:
+  - flat_name: user.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  short: Short name or login of the user.
+  type: wildcard
+user.roles:
+  dashed_name: user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  short: Array of user roles at the time of the event.
+  type: keyword
+user.target.domain:
+  dashed_name: user-target-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.target.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.target.email:
+  dashed_name: user-target-email
+  description: User email address.
+  flat_name: user.target.email
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: wildcard
+user.target.full_name:
+  dashed_name: user-target-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.target.full_name
+  level: extended
+  multi_fields:
+  - flat_name: user.target.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: wildcard
+user.target.group.domain:
+  dashed_name: user-target-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.target.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.target.group.id:
+  dashed_name: user-target-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.target.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.target.group.name:
+  dashed_name: user-target-group-name
+  description: Name of the group.
+  flat_name: user.target.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.target.hash:
+  dashed_name: user-target-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.target.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.target.id:
+  dashed_name: user-target-id
+  description: Unique identifier of the user.
+  flat_name: user.target.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.target.name:
+  dashed_name: user-target-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.target.name
+  level: core
+  multi_fields:
+  - flat_name: user.target.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: wildcard
+user.target.roles:
+  dashed_name: user-target-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.target.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
+user_agent.device.name:
+  dashed_name: user-agent-device-name
+  description: Name of the device.
+  example: iPhone
+  flat_name: user_agent.device.name
+  ignore_above: 1024
+  level: extended
+  name: device.name
+  normalize: []
+  short: Name of the device.
+  type: keyword
+user_agent.name:
+  dashed_name: user-agent-name
+  description: Name of the user agent.
+  example: Safari
+  flat_name: user_agent.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  short: Name of the user agent.
+  type: keyword
+user_agent.original:
+  dashed_name: user-agent-original
+  description: Unparsed user_agent string.
+  example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+    (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+  flat_name: user_agent.original
+  level: extended
+  multi_fields:
+  - flat_name: user_agent.original.text
+    name: text
+    norms: false
+    type: text
+  name: original
+  normalize: []
+  short: Unparsed user_agent string.
+  type: wildcard
+user_agent.os.family:
+  dashed_name: user-agent-os-family
+  description: OS family (such as redhat, debian, freebsd, windows).
+  example: debian
+  flat_name: user_agent.os.family
+  ignore_above: 1024
+  level: extended
+  name: family
+  normalize: []
+  original_fieldset: os
+  short: OS family (such as redhat, debian, freebsd, windows).
+  type: keyword
+user_agent.os.full:
+  dashed_name: user-agent-os-full
+  description: Operating system name, including the version or code name.
+  example: Mac OS Mojave
+  flat_name: user_agent.os.full
+  level: extended
+  multi_fields:
+  - flat_name: user_agent.os.full.text
+    name: text
+    norms: false
+    type: text
+  name: full
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, including the version or code name.
+  type: wildcard
+user_agent.os.kernel:
+  dashed_name: user-agent-os-kernel
+  description: Operating system kernel version as a raw string.
+  example: 4.4.0-112-generic
+  flat_name: user_agent.os.kernel
+  ignore_above: 1024
+  level: extended
+  name: kernel
+  normalize: []
+  original_fieldset: os
+  short: Operating system kernel version as a raw string.
+  type: keyword
+user_agent.os.name:
+  dashed_name: user-agent-os-name
+  description: Operating system name, without the version.
+  example: Mac OS X
+  flat_name: user_agent.os.name
+  level: extended
+  multi_fields:
+  - flat_name: user_agent.os.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, without the version.
+  type: wildcard
+user_agent.os.platform:
+  dashed_name: user-agent-os-platform
+  description: Operating system platform (such centos, ubuntu, windows).
+  example: darwin
+  flat_name: user_agent.os.platform
+  ignore_above: 1024
+  level: extended
+  name: platform
+  normalize: []
+  original_fieldset: os
+  short: Operating system platform (such centos, ubuntu, windows).
+  type: keyword
+user_agent.os.version:
+  dashed_name: user-agent-os-version
+  description: Operating system version as a raw string.
+  example: 10.14.1
+  flat_name: user_agent.os.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  original_fieldset: os
+  short: Operating system version as a raw string.
+  type: keyword
+user_agent.version:
+  dashed_name: user-agent-version
+  description: Version of the user agent.
+  example: 12.0
+  flat_name: user_agent.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: Version of the user agent.
+  type: keyword
+vulnerability.category:
+  dashed_name: vulnerability-category
+  description: 'The type of system or architecture that the vulnerability affects.
+    These may be platform-specific (for example, Debian or SUSE) or general (for example,
+    Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
+    vulnerability categories])
+
+    This field must be an array.'
+  example: '["Firewall"]'
+  flat_name: vulnerability.category
+  ignore_above: 1024
+  level: extended
+  name: category
+  normalize:
+  - array
+  short: Category of a vulnerability.
+  type: keyword
+vulnerability.classification:
+  dashed_name: vulnerability-classification
+  description: The classification of the vulnerability scoring system. For example
+    (https://www.first.org/cvss/)
+  example: CVSS
+  flat_name: vulnerability.classification
+  ignore_above: 1024
+  level: extended
+  name: classification
+  normalize: []
+  short: Classification of the vulnerability.
+  type: keyword
+vulnerability.description:
+  dashed_name: vulnerability-description
+  description: The description of the vulnerability that provides additional context
+    of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
+    Vulnerabilities and Exposure CVE description])
+  example: In macOS before 2.12.6, there is a vulnerability in the RPC...
+  flat_name: vulnerability.description
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: vulnerability.description.text
+    name: text
+    norms: false
+    type: text
+  name: description
+  normalize: []
+  short: Description of the vulnerability.
+  type: keyword
+vulnerability.enumeration:
+  dashed_name: vulnerability-enumeration
+  description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
+  example: CVE
+  flat_name: vulnerability.enumeration
+  ignore_above: 1024
+  level: extended
+  name: enumeration
+  normalize: []
+  short: Identifier of the vulnerability.
+  type: keyword
+vulnerability.id:
+  dashed_name: vulnerability-id
+  description: The identification (ID) is the number portion of a vulnerability entry.
+    It includes a unique identification number for the vulnerability. For example
+    (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
+    and Exposure CVE ID]
+  example: CVE-2019-00001
+  flat_name: vulnerability.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: ID of the vulnerability.
+  type: keyword
+vulnerability.reference:
+  dashed_name: vulnerability-reference
+  description: A resource that provides additional information, context, and mitigations
+    for the identified vulnerability.
+  example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
+  flat_name: vulnerability.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: Reference of the vulnerability.
+  type: keyword
+vulnerability.report_id:
+  dashed_name: vulnerability-report-id
+  description: The report or scan identification number.
+  example: 20191018.0001
+  flat_name: vulnerability.report_id
+  ignore_above: 1024
+  level: extended
+  name: report_id
+  normalize: []
+  short: Scan identification number.
+  type: keyword
+vulnerability.scanner.vendor:
+  dashed_name: vulnerability-scanner-vendor
+  description: The name of the vulnerability scanner vendor.
+  example: Tenable
+  flat_name: vulnerability.scanner.vendor
+  ignore_above: 1024
+  level: extended
+  name: scanner.vendor
+  normalize: []
+  short: Name of the scanner vendor.
+  type: keyword
+vulnerability.score.base:
+  dashed_name: vulnerability-score-base
+  description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+    Base scores cover an assessment for exploitability metrics (attack vector, complexity,
+    privileges, and user interaction), impact metrics (confidentiality, integrity,
+    and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
+  example: 5.5
+  flat_name: vulnerability.score.base
+  level: extended
+  name: score.base
+  normalize: []
+  short: Vulnerability Base score.
+  type: float
+vulnerability.score.environmental:
+  dashed_name: vulnerability-score-environmental
+  description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+    Environmental scores cover an assessment for any modified Base metrics, confidentiality,
+    integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
+  example: 5.5
+  flat_name: vulnerability.score.environmental
+  level: extended
+  name: score.environmental
+  normalize: []
+  short: Vulnerability Environmental score.
+  type: float
+vulnerability.score.temporal:
+  dashed_name: vulnerability-score-temporal
+  description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+    Temporal scores cover an assessment for code maturity, remediation level, and
+    confidence. For example (https://www.first.org/cvss/specification-document)'
+  flat_name: vulnerability.score.temporal
+  level: extended
+  name: score.temporal
+  normalize: []
+  short: Vulnerability Temporal score.
+  type: float
+vulnerability.score.version:
+  dashed_name: vulnerability-score-version
+  description: 'The National Vulnerability Database (NVD) provides qualitative severity
+    rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition
+    to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
+
+    CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization,
+    whose mission is to help computer security incident response teams across the
+    world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
+  example: 2.0
+  flat_name: vulnerability.score.version
+  ignore_above: 1024
+  level: extended
+  name: score.version
+  normalize: []
+  short: CVSS version.
+  type: keyword
+vulnerability.severity:
+  dashed_name: vulnerability-severity
+  description: The severity of the vulnerability can help with metrics and internal
+    prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+  example: Critical
+  flat_name: vulnerability.severity
+  ignore_above: 1024
+  level: extended
+  name: severity
+  normalize: []
+  short: Severity of the vulnerability.
+  type: keyword
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
new file mode 100644
index 0000000000..1c40d63dfd
--- /dev/null
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -0,0 +1,10663 @@
+agent:
+  description: 'The agent fields contain the data about the software entity, if any,
+    that collects, detects, or observes events on a host, or takes measurements on
+    a host.
+
+    Examples include Beats. Agents may also run on observers. ECS agent.* fields shall
+    be populated with details of the agent running on the host or observer where the
+    event happened or the measurement was taken.'
+  fields:
+    agent.build.original:
+      dashed_name: agent-build-original
+      description: 'Extended build information for the agent.
+
+        This field is intended to contain any build information that a data source
+        may provide, no specific formatting is required.'
+      example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
+        built 2020-02-05 23:10:10 +0000 UTC]
+      flat_name: agent.build.original
+      level: core
+      name: build.original
+      normalize: []
+      short: Extended build information for the agent.
+      type: wildcard
+    agent.ephemeral_id:
+      dashed_name: agent-ephemeral-id
+      description: 'Ephemeral identifier of this agent (if one exists).
+
+        This id normally changes across restarts, but `agent.id` does not.'
+      example: 8a4f500f
+      flat_name: agent.ephemeral_id
+      ignore_above: 1024
+      level: extended
+      name: ephemeral_id
+      normalize: []
+      short: Ephemeral identifier of this agent.
+      type: keyword
+    agent.id:
+      dashed_name: agent-id
+      description: 'Unique identifier of this agent (if one exists).
+
+        Example: For Beats this would be beat.id.'
+      example: 8a4f500d
+      flat_name: agent.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier of this agent.
+      type: keyword
+    agent.name:
+      dashed_name: agent-name
+      description: 'Custom name of the agent.
+
+        This is a name that can be given to an agent. This can be helpful if for example
+        two Filebeat instances are running on the same host but a human readable separation
+        is needed on which Filebeat instance data is coming from.
+
+        If no name is given, the name is often left empty.'
+      example: foo
+      flat_name: agent.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Custom name of the agent.
+      type: keyword
+    agent.type:
+      dashed_name: agent-type
+      description: 'Type of the agent.
+
+        The agent type always stays the same and should be given by the agent used.
+        In case of Filebeat the agent would always be Filebeat also if two Filebeat
+        instances are run on the same machine.'
+      example: filebeat
+      flat_name: agent.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: Type of the agent.
+      type: keyword
+    agent.version:
+      dashed_name: agent-version
+      description: Version of the agent.
+      example: 6.0.0-rc2
+      flat_name: agent.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      short: Version of the agent.
+      type: keyword
+  footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat.
+    For APM, it is the agent running in the app/service. The agent information does
+    not change if data is sent through queuing systems like Kafka, Redis, or processing
+    systems such as Logstash or APM Server.'
+  group: 2
+  name: agent
+  prefix: agent.
+  short: Fields about the monitoring agent.
+  title: Agent
+  type: group
+as:
+  description: An autonomous system (AS) is a collection of connected Internet Protocol
+    (IP) routing prefixes under the control of one or more network operators on behalf
+    of a single administrative entity or domain that presents a common, clearly defined
+    routing policy to the internet.
+  fields:
+    as.number:
+      dashed_name: as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: as.number
+      level: extended
+      name: number
+      normalize: []
+      short: Unique number allocated to the autonomous system.
+      type: long
+    as.organization.name:
+      dashed_name: as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: as.organization.name
+      level: extended
+      multi_fields:
+      - flat_name: as.organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: organization.name
+      normalize: []
+      short: Organization name.
+      type: wildcard
+  group: 2
+  name: as
+  prefix: as.
+  reusable:
+    expected:
+    - as: as
+      at: client
+      full: client.as
+    - as: as
+      at: destination
+      full: destination.as
+    - as: as
+      at: server
+      full: server.as
+    - as: as
+      at: source
+      full: source.as
+    top_level: false
+  short: Fields describing an Autonomous System (Internet routing prefix).
+  title: Autonomous System
+  type: group
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: -timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      norms: false
+      short: Log message optimized for viewing in a log viewer.
+      type: text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+client:
+  description: 'A client is defined as the initiator of a network connection for events
+    regarding sessions, connections, or bidirectional flow records.
+
+    For TCP events, the client is the initiator of the TCP connection that sends the
+    SYN packet(s). For other protocols, the client is generally the initiator or requestor
+    in the network transaction. Some systems use the term "originator" to refer the
+    client in TCP connections. The client fields describe details about the system
+    acting as the client in the network event. Client fields are usually populated
+    in conjunction with server fields. Client fields are generally not populated for
+    packet-level events.
+
+    Client / server representations can add semantic context to an exchange, which
+    is helpful to visualize the data in certain situations. If your context falls
+    in that category, you should still ensure that source and destination are filled
+    appropriately.'
+  fields:
+    client.address:
+      dashed_name: client-address
+      description: 'Some event client addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: client.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      short: Client network address.
+      type: keyword
+    client.as.number:
+      dashed_name: client-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: client.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    client.as.organization.name:
+      dashed_name: client-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: client.as.organization.name
+      level: extended
+      multi_fields:
+      - flat_name: client.as.organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: wildcard
+    client.bytes:
+      dashed_name: client-bytes
+      description: Bytes sent from the client to the server.
+      example: 184
+      flat_name: client.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      short: Bytes sent from the client to the server.
+      type: long
+    client.domain:
+      dashed_name: client-domain
+      description: Client domain.
+      flat_name: client.domain
+      level: core
+      name: domain
+      normalize: []
+      short: Client domain.
+      type: wildcard
+    client.geo.city_name:
+      dashed_name: client-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: client.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    client.geo.continent_name:
+      dashed_name: client-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: client.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    client.geo.country_iso_code:
+      dashed_name: client-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: client.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    client.geo.country_name:
+      dashed_name: client-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: client.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    client.geo.location:
+      dashed_name: client-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: client.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    client.geo.name:
+      dashed_name: client-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: client.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    client.geo.region_iso_code:
+      dashed_name: client-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: client.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    client.geo.region_name:
+      dashed_name: client-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: client.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    client.ip:
+      dashed_name: client-ip
+      description: IP address of the client (IPv4 or IPv6).
+      flat_name: client.ip
+      level: core
+      name: ip
+      normalize: []
+      short: IP address of the client.
+      type: ip
+    client.mac:
+      dashed_name: client-mac
+      description: MAC address of the client.
+      flat_name: client.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      short: MAC address of the client.
+      type: keyword
+    client.nat.ip:
+      dashed_name: client-nat-ip
+      description: 'Translated IP of source based NAT sessions (e.g. internal client
+        to internet).
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: client.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      short: Client NAT ip address
+      type: ip
+    client.nat.port:
+      dashed_name: client-nat-port
+      description: 'Translated port of source based NAT sessions (e.g. internal client
+        to internet).
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: client.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      short: Client NAT port
+      type: long
+    client.packets:
+      dashed_name: client-packets
+      description: Packets sent from the client to the server.
+      example: 12
+      flat_name: client.packets
+      level: core
+      name: packets
+      normalize: []
+      short: Packets sent from the client to the server.
+      type: long
+    client.port:
+      dashed_name: client-port
+      description: Port of the client.
+      flat_name: client.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      short: Port of the client.
+      type: long
+    client.registered_domain:
+      dashed_name: client-registered-domain
+      description: 'The highest registered client domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: client.registered_domain
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered client domain, stripped of the subdomain.
+      type: wildcard
+    client.subdomain:
+      dashed_name: client-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: client.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    client.top_level_domain:
+      dashed_name: client-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: client.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    client.user.domain:
+      dashed_name: client-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: client.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    client.user.email:
+      dashed_name: client-user-email
+      description: User email address.
+      flat_name: client.user.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    client.user.full_name:
+      dashed_name: client-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: client.user.full_name
+      level: extended
+      multi_fields:
+      - flat_name: client.user.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    client.user.group.domain:
+      dashed_name: client-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: client.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    client.user.group.id:
+      dashed_name: client-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: client.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    client.user.group.name:
+      dashed_name: client-user-group-name
+      description: Name of the group.
+      flat_name: client.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    client.user.hash:
+      dashed_name: client-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: client.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    client.user.id:
+      dashed_name: client-user-id
+      description: Unique identifier of the user.
+      flat_name: client.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    client.user.name:
+      dashed_name: client-user-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: client.user.name
+      level: core
+      multi_fields:
+      - flat_name: client.user.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    client.user.roles:
+      dashed_name: client-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: client.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: client
+  nestings:
+  - client.as
+  - client.geo
+  - client.user
+  prefix: client.
+  reused_here:
+  - full: client.as
+    schema_name: as
+    short: Fields describing an Autonomous System (Internet routing prefix).
+  - full: client.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: client.user
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields about the client side of a network connection, used with server.
+  title: Client
+  type: group
+cloud:
+  description: Fields related to the cloud or infrastructure the events are coming
+    from.
+  fields:
+    cloud.account.id:
+      dashed_name: cloud-account-id
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      flat_name: cloud.account.id
+      ignore_above: 1024
+      level: extended
+      name: account.id
+      normalize: []
+      short: The cloud account or organization id.
+      type: keyword
+    cloud.account.name:
+      dashed_name: cloud-account-name
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      flat_name: cloud.account.name
+      ignore_above: 1024
+      level: extended
+      name: account.name
+      normalize: []
+      short: The cloud account name.
+      type: keyword
+    cloud.availability_zone:
+      dashed_name: cloud-availability-zone
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+      flat_name: cloud.availability_zone
+      ignore_above: 1024
+      level: extended
+      name: availability_zone
+      normalize: []
+      short: Availability zone in which this host is running.
+      type: keyword
+    cloud.instance.id:
+      dashed_name: cloud-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.instance.id
+      ignore_above: 1024
+      level: extended
+      name: instance.id
+      normalize: []
+      short: Instance ID of the host machine.
+      type: keyword
+    cloud.instance.name:
+      dashed_name: cloud-instance-name
+      description: Instance name of the host machine.
+      flat_name: cloud.instance.name
+      ignore_above: 1024
+      level: extended
+      name: instance.name
+      normalize: []
+      short: Instance name of the host machine.
+      type: keyword
+    cloud.machine.type:
+      dashed_name: cloud-machine-type
+      description: Machine type of the host machine.
+      example: t2.medium
+      flat_name: cloud.machine.type
+      ignore_above: 1024
+      level: extended
+      name: machine.type
+      normalize: []
+      short: Machine type of the host machine.
+      type: keyword
+    cloud.project.id:
+      dashed_name: cloud-project-id
+      description: 'The cloud project identifier.
+
+        Examples: Google Cloud Project id, Azure Project id.'
+      example: my-project
+      flat_name: cloud.project.id
+      ignore_above: 1024
+      level: extended
+      name: project.id
+      normalize: []
+      short: The cloud project id.
+      type: keyword
+    cloud.project.name:
+      dashed_name: cloud-project-name
+      description: 'The cloud project name.
+
+        Examples: Google Cloud Project name, Azure Project name.'
+      example: my project
+      flat_name: cloud.project.name
+      ignore_above: 1024
+      level: extended
+      name: project.name
+      normalize: []
+      short: The cloud project name.
+      type: keyword
+    cloud.provider:
+      dashed_name: cloud-provider
+      description: Name of the cloud provider. Example values are aws, azure, gcp,
+        or digitalocean.
+      example: aws
+      flat_name: cloud.provider
+      ignore_above: 1024
+      level: extended
+      name: provider
+      normalize: []
+      short: Name of the cloud provider.
+      type: keyword
+    cloud.region:
+      dashed_name: cloud-region
+      description: Region in which this host is running.
+      example: us-east-1
+      flat_name: cloud.region
+      ignore_above: 1024
+      level: extended
+      name: region
+      normalize: []
+      short: Region in which this host is running.
+      type: keyword
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from
+    its host, the cloud info contains the data about this machine. If Metricbeat runs
+    on a remote machine outside the cloud and fetches data from a service running
+    in the cloud, the field contains cloud data from the machine the service is running
+    on.'
+  group: 2
+  name: cloud
+  prefix: cloud.
+  short: Fields about the cloud resource.
+  title: Cloud
+  type: group
+code_signature:
+  description: These fields contain information about binary code signatures.
+  fields:
+    code_signature.exists:
+      dashed_name: code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    code_signature.status:
+      dashed_name: code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      short: Additional information about the certificate status.
+      type: keyword
+    code_signature.subject_name:
+      dashed_name: code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      short: Subject name of the code signer
+      type: keyword
+    code_signature.trusted:
+      dashed_name: code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    code_signature.valid:
+      dashed_name: code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+  group: 2
+  name: code_signature
+  prefix: code_signature.
+  reusable:
+    expected:
+    - as: code_signature
+      at: file
+      full: file.code_signature
+    - as: code_signature
+      at: process
+      full: process.code_signature
+    - as: code_signature
+      at: dll
+      full: dll.code_signature
+    top_level: false
+  short: These fields contain information about binary code signatures.
+  title: Code Signature
+  type: group
+container:
+  description: 'Container fields are used for meta information about the specific
+    container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  fields:
+    container.id:
+      dashed_name: container-id
+      description: Unique container id.
+      flat_name: container.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique container id.
+      type: keyword
+    container.image.name:
+      dashed_name: container-image-name
+      description: Name of the image the container was built on.
+      flat_name: container.image.name
+      ignore_above: 1024
+      level: extended
+      name: image.name
+      normalize: []
+      short: Name of the image the container was built on.
+      type: keyword
+    container.image.tag:
+      dashed_name: container-image-tag
+      description: Container image tags.
+      flat_name: container.image.tag
+      ignore_above: 1024
+      level: extended
+      name: image.tag
+      normalize:
+      - array
+      short: Container image tags.
+      type: keyword
+    container.labels:
+      dashed_name: container-labels
+      description: Image labels.
+      flat_name: container.labels
+      level: extended
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Image labels.
+      type: object
+    container.name:
+      dashed_name: container-name
+      description: Container name.
+      flat_name: container.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Container name.
+      type: keyword
+    container.runtime:
+      dashed_name: container-runtime
+      description: Runtime managing this container.
+      example: docker
+      flat_name: container.runtime
+      ignore_above: 1024
+      level: extended
+      name: runtime
+      normalize: []
+      short: Runtime managing this container.
+      type: keyword
+  group: 2
+  name: container
+  prefix: container.
+  short: Fields describing the container that generated this event.
+  title: Container
+  type: group
+destination:
+  description: 'Destination fields capture details about the receiver of a network
+    exchange/packet. These fields are populated from a network event, packet, or other
+    event containing details of a network transaction.
+
+    Destination fields are usually populated in conjunction with source fields. The
+    source and destination fields are considered the baseline and should always be
+    filled if an event contains source and destination details from a network transaction.
+    If the event also contains identification of the client and server roles, then
+    the client and server fields should also be populated.'
+  fields:
+    destination.address:
+      dashed_name: destination-address
+      description: 'Some event destination addresses are defined ambiguously. The
+        event will sometimes list an IP, a domain or a unix socket.  You should always
+        store the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: destination.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      short: Destination network address.
+      type: keyword
+    destination.as.number:
+      dashed_name: destination-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: destination.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    destination.as.organization.name:
+      dashed_name: destination-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: destination.as.organization.name
+      level: extended
+      multi_fields:
+      - flat_name: destination.as.organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: wildcard
+    destination.bytes:
+      dashed_name: destination-bytes
+      description: Bytes sent from the destination to the source.
+      example: 184
+      flat_name: destination.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      short: Bytes sent from the destination to the source.
+      type: long
+    destination.domain:
+      dashed_name: destination-domain
+      description: Destination domain.
+      flat_name: destination.domain
+      level: core
+      name: domain
+      normalize: []
+      short: Destination domain.
+      type: wildcard
+    destination.geo.city_name:
+      dashed_name: destination-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: destination.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    destination.geo.continent_name:
+      dashed_name: destination-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: destination.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    destination.geo.country_iso_code:
+      dashed_name: destination-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: destination.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    destination.geo.country_name:
+      dashed_name: destination-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: destination.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    destination.geo.location:
+      dashed_name: destination-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: destination.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    destination.geo.name:
+      dashed_name: destination-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: destination.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    destination.geo.region_iso_code:
+      dashed_name: destination-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: destination.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    destination.geo.region_name:
+      dashed_name: destination-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: destination.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    destination.ip:
+      dashed_name: destination-ip
+      description: IP address of the destination (IPv4 or IPv6).
+      flat_name: destination.ip
+      level: core
+      name: ip
+      normalize: []
+      short: IP address of the destination.
+      type: ip
+    destination.mac:
+      dashed_name: destination-mac
+      description: MAC address of the destination.
+      flat_name: destination.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      short: MAC address of the destination.
+      type: keyword
+    destination.nat.ip:
+      dashed_name: destination-nat-ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: destination.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      short: Destination NAT ip
+      type: ip
+    destination.nat.port:
+      dashed_name: destination-nat-port
+      description: 'Port the source session is translated to by NAT Device.
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: destination.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      short: Destination NAT Port
+      type: long
+    destination.packets:
+      dashed_name: destination-packets
+      description: Packets sent from the destination to the source.
+      example: 12
+      flat_name: destination.packets
+      level: core
+      name: packets
+      normalize: []
+      short: Packets sent from the destination to the source.
+      type: long
+    destination.port:
+      dashed_name: destination-port
+      description: Port of the destination.
+      flat_name: destination.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      short: Port of the destination.
+      type: long
+    destination.registered_domain:
+      dashed_name: destination-registered-domain
+      description: 'The highest registered destination domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: destination.registered_domain
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered destination domain, stripped of the subdomain.
+      type: wildcard
+    destination.subdomain:
+      dashed_name: destination-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: destination.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    destination.top_level_domain:
+      dashed_name: destination-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: destination.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    destination.user.domain:
+      dashed_name: destination-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: destination.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    destination.user.email:
+      dashed_name: destination-user-email
+      description: User email address.
+      flat_name: destination.user.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    destination.user.full_name:
+      dashed_name: destination-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: destination.user.full_name
+      level: extended
+      multi_fields:
+      - flat_name: destination.user.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    destination.user.group.domain:
+      dashed_name: destination-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: destination.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    destination.user.group.id:
+      dashed_name: destination-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: destination.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    destination.user.group.name:
+      dashed_name: destination-user-group-name
+      description: Name of the group.
+      flat_name: destination.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    destination.user.hash:
+      dashed_name: destination-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: destination.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    destination.user.id:
+      dashed_name: destination-user-id
+      description: Unique identifier of the user.
+      flat_name: destination.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    destination.user.name:
+      dashed_name: destination-user-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: destination.user.name
+      level: core
+      multi_fields:
+      - flat_name: destination.user.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    destination.user.roles:
+      dashed_name: destination-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: destination.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: destination
+  nestings:
+  - destination.as
+  - destination.geo
+  - destination.user
+  prefix: destination.
+  reused_here:
+  - full: destination.as
+    schema_name: as
+    short: Fields describing an Autonomous System (Internet routing prefix).
+  - full: destination.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: destination.user
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields about the destination side of a network connection, used with source.
+  title: Destination
+  type: group
+dll:
+  description: 'These fields contain information about code libraries dynamically
+    loaded into processes.
+
+
+    Many operating systems refer to "shared code libraries" with different names,
+    but this field set refers to all of the following:
+
+    * Dynamic-link library (`.dll`) commonly used on Windows
+
+    * Shared Object (`.so`) commonly used on Unix-like operating systems
+
+    * Dynamic library (`.dylib`) commonly used on macOS'
+  fields:
+    dll.code_signature.exists:
+      dashed_name: dll-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: dll.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    dll.code_signature.status:
+      dashed_name: dll-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: dll.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    dll.code_signature.subject_name:
+      dashed_name: dll-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: dll.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    dll.code_signature.trusted:
+      dashed_name: dll-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: dll.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    dll.code_signature.valid:
+      dashed_name: dll-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: dll.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    dll.hash.md5:
+      dashed_name: dll-hash-md5
+      description: MD5 hash.
+      flat_name: dll.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    dll.hash.sha1:
+      dashed_name: dll-hash-sha1
+      description: SHA1 hash.
+      flat_name: dll.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    dll.hash.sha256:
+      dashed_name: dll-hash-sha256
+      description: SHA256 hash.
+      flat_name: dll.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    dll.hash.sha512:
+      dashed_name: dll-hash-sha512
+      description: SHA512 hash.
+      flat_name: dll.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    dll.name:
+      dashed_name: dll-name
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      flat_name: dll.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the library.
+      type: keyword
+    dll.path:
+      dashed_name: dll-path
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      flat_name: dll.path
+      ignore_above: 1024
+      level: extended
+      name: path
+      normalize: []
+      short: Full file path of the library.
+      type: keyword
+    dll.pe.architecture:
+      dashed_name: dll-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: dll.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    dll.pe.company:
+      dashed_name: dll-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: dll.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    dll.pe.description:
+      dashed_name: dll-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: dll.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    dll.pe.file_version:
+      dashed_name: dll-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: dll.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    dll.pe.imphash:
+      dashed_name: dll-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: dll.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    dll.pe.original_file_name:
+      dashed_name: dll-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: dll.pe.original_file_name
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: wildcard
+    dll.pe.product:
+      dashed_name: dll-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: dll.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+  group: 2
+  name: dll
+  nestings:
+  - dll.code_signature
+  - dll.hash
+  - dll.pe
+  prefix: dll.
+  reused_here:
+  - full: dll.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
+  - full: dll.hash
+    schema_name: hash
+    short: Hashes, usually file hashes.
+  - full: dll.pe
+    schema_name: pe
+    short: These fields contain Windows Portable Executable (PE) metadata.
+  short: These fields contain information about code libraries dynamically loaded
+    into processes.
+  title: DLL
+  type: group
+dns:
+  description: 'Fields describing DNS queries and answers.
+
+    DNS events should either represent a single DNS query prior to getting answers
+    (`dns.type:query`) or they should represent a full exchange and contain the query
+    details as well as all of the answers that were provided for this query (`dns.type:answer`).'
+  fields:
+    dns.answers.class:
+      dashed_name: dns-answers-class
+      description: The class of DNS data contained in this resource record.
+      example: IN
+      flat_name: dns.answers.class
+      ignore_above: 1024
+      level: extended
+      name: answers.class
+      normalize: []
+      short: The class of DNS data contained in this resource record.
+      type: keyword
+    dns.answers.data:
+      dashed_name: dns-answers-data
+      description: 'The data describing the resource.
+
+        The meaning of this data depends on the type and class of the resource record.'
+      example: 10.10.10.10
+      flat_name: dns.answers.data
+      level: extended
+      name: answers.data
+      normalize: []
+      short: The data describing the resource.
+      type: wildcard
+    dns.answers.name:
+      dashed_name: dns-answers-name
+      description: 'The domain name to which this resource record pertains.
+
+        If a chain of CNAME is being resolved, each answer''s `name` should be the
+        one that corresponds with the answer''s `data`. It should not simply be the
+        original `question.name` repeated.'
+      example: www.example.com
+      flat_name: dns.answers.name
+      ignore_above: 1024
+      level: extended
+      name: answers.name
+      normalize: []
+      short: The domain name to which this resource record pertains.
+      type: keyword
+    dns.answers.ttl:
+      dashed_name: dns-answers-ttl
+      description: The time interval in seconds that this resource record may be cached
+        before it should be discarded. Zero values mean that the data should not be
+        cached.
+      example: 180
+      flat_name: dns.answers.ttl
+      level: extended
+      name: answers.ttl
+      normalize: []
+      short: The time interval in seconds that this resource record may be cached
+        before it should be discarded.
+      type: long
+    dns.answers.type:
+      dashed_name: dns-answers-type
+      description: The type of data contained in this resource record.
+      example: CNAME
+      flat_name: dns.answers.type
+      ignore_above: 1024
+      level: extended
+      name: answers.type
+      normalize: []
+      short: The type of data contained in this resource record.
+      type: keyword
+    dns.header_flags:
+      dashed_name: dns-header-flags
+      description: 'Array of 2 letter DNS header flags.
+
+        Expected values are: AA, TC, RD, RA, AD, CD, DO.'
+      example: '["RD", "RA"]'
+      flat_name: dns.header_flags
+      ignore_above: 1024
+      level: extended
+      name: header_flags
+      normalize:
+      - array
+      short: Array of DNS header flags.
+      type: keyword
+    dns.id:
+      dashed_name: dns-id
+      description: The DNS packet identifier assigned by the program that generated
+        the query. The identifier is copied to the response.
+      example: 62111
+      flat_name: dns.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: The DNS packet identifier assigned by the program that generated the
+        query. The identifier is copied to the response.
+      type: keyword
+    dns.op_code:
+      dashed_name: dns-op-code
+      description: The DNS operation code that specifies the kind of query in the
+        message. This value is set by the originator of a query and copied into the
+        response.
+      example: QUERY
+      flat_name: dns.op_code
+      ignore_above: 1024
+      level: extended
+      name: op_code
+      normalize: []
+      short: The DNS operation code that specifies the kind of query in the message.
+      type: keyword
+    dns.question.class:
+      dashed_name: dns-question-class
+      description: The class of records being queried.
+      example: IN
+      flat_name: dns.question.class
+      ignore_above: 1024
+      level: extended
+      name: question.class
+      normalize: []
+      short: The class of records being queried.
+      type: keyword
+    dns.question.name:
+      dashed_name: dns-question-name
+      description: 'The name being queried.
+
+        If the name field contains non-printable characters (below 32 or above 126),
+        those characters should be represented as escaped base 10 integers (\DDD).
+        Back slashes and quotes should be escaped. Tabs, carriage returns, and line
+        feeds should be converted to \t, \r, and \n respectively.'
+      example: www.example.com
+      flat_name: dns.question.name
+      level: extended
+      name: question.name
+      normalize: []
+      short: The name being queried.
+      type: wildcard
+    dns.question.registered_domain:
+      dashed_name: dns-question-registered-domain
+      description: 'The highest registered domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: dns.question.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: question.registered_domain
+      normalize: []
+      short: The highest registered domain, stripped of the subdomain.
+      type: keyword
+    dns.question.subdomain:
+      dashed_name: dns-question-subdomain
+      description: 'The subdomain is all of the labels under the registered_domain.
+
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: www
+      flat_name: dns.question.subdomain
+      ignore_above: 1024
+      level: extended
+      name: question.subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    dns.question.top_level_domain:
+      dashed_name: dns-question-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: dns.question.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: question.top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    dns.question.type:
+      dashed_name: dns-question-type
+      description: The type of record being queried.
+      example: AAAA
+      flat_name: dns.question.type
+      ignore_above: 1024
+      level: extended
+      name: question.type
+      normalize: []
+      short: The type of record being queried.
+      type: keyword
+    dns.resolved_ip:
+      dashed_name: dns-resolved-ip
+      description: 'Array containing all IPs seen in `answers.data`.
+
+        The `answers` array can be difficult to use, because of the variety of data
+        formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
+        makes it possible to index them as IP addresses, and makes them easier to
+        visualize and query for.'
+      example: '["10.10.10.10", "10.10.10.11"]'
+      flat_name: dns.resolved_ip
+      level: extended
+      name: resolved_ip
+      normalize:
+      - array
+      short: Array containing all IPs seen in answers.data
+      type: ip
+    dns.response_code:
+      dashed_name: dns-response-code
+      description: The DNS response code.
+      example: NOERROR
+      flat_name: dns.response_code
+      ignore_above: 1024
+      level: extended
+      name: response_code
+      normalize: []
+      short: The DNS response code.
+      type: keyword
+    dns.type:
+      dashed_name: dns-type
+      description: 'The type of DNS event captured, query or answer.
+
+        If your source of DNS events only gives you DNS queries, you should only create
+        dns events of type `dns.type:query`.
+
+        If your source of DNS events gives you answers as well, you should create
+        one event per query (optionally as soon as the query is seen). And a second
+        event containing all query details as well as an array of answers.'
+      example: answer
+      flat_name: dns.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      short: The type of DNS event captured, query or answer.
+      type: keyword
+  group: 2
+  name: dns
+  prefix: dns.
+  short: Fields describing DNS queries and answers.
+  title: DNS
+  type: group
+ecs:
+  description: Meta-information specific to ECS.
+  fields:
+    ecs.version:
+      dashed_name: ecs-version
+      description: 'ECS version this event conforms to. `ecs.version` is a required
+        field and must exist in all events.
+
+        When querying across multiple indices -- which may conform to slightly different
+        ECS versions -- this field lets integrations adjust to the schema version
+        of the events.'
+      example: 1.0.0
+      flat_name: ecs.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      required: true
+      short: ECS version this event conforms to.
+      type: keyword
+  group: 2
+  name: ecs
+  prefix: ecs.
+  short: Meta-information specific to ECS.
+  title: ECS
+  type: group
+error:
+  description: 'These fields can represent errors of any kind.
+
+    Use them for errors that happen while fetching events or in cases where the event
+    itself contains an error.'
+  fields:
+    error.code:
+      dashed_name: error-code
+      description: Error code describing the error.
+      flat_name: error.code
+      ignore_above: 1024
+      level: core
+      name: code
+      normalize: []
+      short: Error code describing the error.
+      type: keyword
+    error.id:
+      dashed_name: error-id
+      description: Unique identifier for the error.
+      flat_name: error.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier for the error.
+      type: keyword
+    error.message:
+      dashed_name: error-message
+      description: Error message.
+      flat_name: error.message
+      level: core
+      name: message
+      normalize: []
+      norms: false
+      short: Error message.
+      type: text
+    error.stack_trace:
+      dashed_name: error-stack-trace
+      description: The stack trace of this error in plain text.
+      flat_name: error.stack_trace
+      index: true
+      level: extended
+      multi_fields:
+      - flat_name: error.stack_trace.text
+        name: text
+        norms: false
+        type: text
+      name: stack_trace
+      normalize: []
+      short: The stack trace of this error in plain text.
+      type: wildcard
+    error.type:
+      dashed_name: error-type
+      description: The type of the error, for example the class name of the exception.
+      example: java.lang.NullPointerException
+      flat_name: error.type
+      level: extended
+      name: type
+      normalize: []
+      short: The type of the error, for example the class name of the exception.
+      type: wildcard
+  group: 2
+  name: error
+  prefix: error.
+  short: Fields about errors of any kind.
+  title: Error
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.action:
+      dashed_name: event-action
+      description: 'The action captured by the event.
+
+        This describes the information in the event. It is more specific than `event.category`.
+        Examples are `group-add`, `process-started`, `file-created`. The value is
+        normally defined by the implementer.'
+      example: user-password-change
+      flat_name: event.action
+      ignore_above: 1024
+      level: core
+      name: action
+      normalize: []
+      short: The action captured by the event.
+      type: keyword
+    event.category:
+      allowed_values:
+      - description: Events in this category are related to the challenge and response
+          process in which credentials are supplied and verified to allow the creation
+          of a session. Common sources for these logs are Windows event logs and ssh
+          logs. Visualize and analyze events in this category to look for failed logins,
+          and other authentication-related activity.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: authentication
+      - description: 'Events in the configuration category have to deal with creating,
+          modifying, or deleting the settings or parameters of an application, process,
+          or system.
+
+          Example sources include security policy change logs, configuration auditing
+          logging, and system integrity monitoring.'
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        - info
+        name: configuration
+      - description: The database category denotes events and metrics relating to
+          a data storage and retrieval system. Note that use of this category is not
+          limited to relational database systems. Examples include event logs from
+          MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize
+          and analyze database activity such as accesses and changes.
+        expected_event_types:
+        - access
+        - change
+        - info
+        - error
+        name: database
+      - description: 'Events in the driver category have to do with operating system
+          device drivers and similar software entities such as Windows drivers, kernel
+          extensions, kernel modules, etc.
+
+          Use events and metrics in this category to visualize and analyze driver-related
+          activity and status on hosts.'
+        expected_event_types:
+        - change
+        - end
+        - info
+        - start
+        name: driver
+      - description: Relating to a set of information that has been created on, or
+          has existed on a filesystem. Use this category of events to visualize and
+          analyze the creation, access, and deletions of files. Events in this category
+          can come from both host-based and network-based sources. An example source
+          of a network-based detection of a file transfer would be the Zeek file.log.
+        expected_event_types:
+        - change
+        - creation
+        - deletion
+        - info
+        name: file
+      - description: 'Use this category to visualize and analyze information such
+          as host inventory or host lifecycle events.
+
+          Most of the events in this category can usually be observed from the outside,
+          such as from a hypervisor or a control plane''s point of view. Some can
+          also be seen from within, such as "start" or "end".
+
+          Note that this category is for information about hosts themselves; it is
+          not meant to capture activity "happening on a host".'
+        expected_event_types:
+        - access
+        - change
+        - end
+        - info
+        - start
+        name: host
+      - description: Identity and access management (IAM) events relating to users,
+          groups, and administration. Use this category to visualize and analyze IAM-related
+          logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.
+        expected_event_types:
+        - admin
+        - change
+        - creation
+        - deletion
+        - group
+        - info
+        - user
+        name: iam
+      - description: Relating to intrusion detections from IDS/IPS systems and functions,
+          both network and host-based. Use this category to visualize and analyze
+          intrusion detection alerts from systems such as Snort, Suricata, and Palo
+          Alto threat detections.
+        expected_event_types:
+        - allowed
+        - denied
+        - info
+        name: intrusion_detection
+      - description: Malware detection events and alerts. Use this category to visualize
+          and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
+          Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS
+          systems such as Suricata, or other sources of malware-related events such
+          as Palo Alto Networks threat logs and Wildfire logs.
+        expected_event_types:
+        - info
+        name: malware
+      - description: Relating to all network activity, including network connection
+          lifecycle, network traffic, and essentially any event that includes an IP
+          address. Many events containing decoded network protocol transactions fit
+          into this category. Use events in this category to visualize or analyze
+          counts of network ports, protocols, addresses, geolocation information,
+          etc.
+        expected_event_types:
+        - access
+        - allowed
+        - connection
+        - denied
+        - end
+        - info
+        - protocol
+        - start
+        name: network
+      - description: Relating to software packages installed on hosts. Use this category
+          to visualize and analyze inventory of software installed on various hosts,
+          or to determine host vulnerability in the absence of vulnerability scan
+          data.
+        expected_event_types:
+        - access
+        - change
+        - deletion
+        - info
+        - installation
+        - start
+        name: package
+      - description: Use this category of events to visualize and analyze process-specific
+          information such as lifecycle events or process ancestry.
+        expected_event_types:
+        - access
+        - change
+        - end
+        - info
+        - start
+        name: process
+      - description: 'Relating to web server access. Use this category to create a
+          dashboard of web server/proxy activity from apache, IIS, nginx web servers,
+          etc. Note: events from network observers such as Zeek http log may also
+          be included in this category.'
+        expected_event_types:
+        - access
+        - error
+        - info
+        name: web
+      dashed_name: event-category
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        second level in the ECS category hierarchy.
+
+        `event.category` represents the "big buckets" of ECS categories. For example,
+        filtering on `event.category:process` yields all events relating to process
+        activity. This field is closely related to `event.type`, which is used as
+        a subcategory.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple categories.'
+      example: authentication
+      flat_name: event.category
+      ignore_above: 1024
+      level: core
+      name: category
+      normalize:
+      - array
+      short: Event category. The second categorization field in the hierarchy.
+      type: keyword
+    event.code:
+      dashed_name: event-code
+      description: 'Identification code for this event, if one exists.
+
+        Some event sources use event codes to identify messages unambiguously, regardless
+        of message language or wording adjustments over time. An example of this is
+        the Windows Event ID.'
+      example: 4648
+      flat_name: event.code
+      ignore_above: 1024
+      level: extended
+      name: code
+      normalize: []
+      short: Identification code for this event.
+      type: keyword
+    event.created:
+      dashed_name: event-created
+      description: 'event.created contains the date/time when the event was first
+        read by an agent, or by your pipeline.
+
+        This field is distinct from @timestamp in that @timestamp typically contain
+        the time extracted from the original event.
+
+        In most situations, these two timestamps will be slightly different. The difference
+        can be used to calculate the delay between your source generating an event,
+        and the time when your agent first processed it. This can be used to monitor
+        your agent''s or pipeline''s ability to keep up with your event source.
+
+        In case the two timestamps are identical, @timestamp should be used.'
+      example: '2016-05-23T08:05:34.857Z'
+      flat_name: event.created
+      level: core
+      name: created
+      normalize: []
+      short: Time when the event was first read by an agent or by your pipeline.
+      type: date
+    event.dataset:
+      dashed_name: event-dataset
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+      flat_name: event.dataset
+      ignore_above: 1024
+      level: core
+      name: dataset
+      normalize: []
+      short: Name of the dataset.
+      type: keyword
+    event.duration:
+      dashed_name: event-duration
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+      flat_name: event.duration
+      format: duration
+      input_format: nanoseconds
+      level: core
+      name: duration
+      normalize: []
+      output_format: asMilliseconds
+      output_precision: 1
+      short: Duration of the event in nanoseconds.
+      type: long
+    event.end:
+      dashed_name: event-end
+      description: event.end contains the date when the event ended or when the activity
+        was last observed.
+      flat_name: event.end
+      level: extended
+      name: end
+      normalize: []
+      short: event.end contains the date when the event ended or when the activity
+        was last observed.
+      type: date
+    event.hash:
+      dashed_name: event-hash
+      description: Hash (perhaps logstash fingerprint) of raw field to be able to
+        demonstrate log integrity.
+      example: 123456789012345678901234567890ABCD
+      flat_name: event.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate
+        log integrity.
+      type: keyword
+    event.id:
+      dashed_name: event-id
+      description: Unique ID to describe the event.
+      example: 8a4f500d
+      flat_name: event.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique ID to describe the event.
+      type: keyword
+    event.ingested:
+      dashed_name: event-ingested
+      description: 'Timestamp when an event arrived in the central data store.
+
+        This is different from `@timestamp`, which is when the event originally occurred.  It''s
+        also different from `event.created`, which is meant to capture the first time
+        an agent saw the event.
+
+        In normal conditions, assuming no tampering, the timestamps should chronologically
+        look like this: `@timestamp` < `event.created` < `event.ingested`.'
+      example: '2016-05-23T08:05:35.101Z'
+      flat_name: event.ingested
+      level: core
+      name: ingested
+      normalize: []
+      short: Timestamp when an event arrived in the central data store.
+      type: date
+    event.kind:
+      allowed_values:
+      - description: 'This value indicates an event that describes an alert or notable
+          event, triggered by a detection rule.
+
+          `event.kind:alert` is often populated for events coming from firewalls,
+          intrusion detection systems, endpoint detection and response systems, and
+          so on.'
+        name: alert
+      - description: This value is the most general and most common value for this
+          field. It is used to represent events that indicate that something happened.
+        name: event
+      - description: 'This value is used to indicate that this event describes a numeric
+          measurement taken at given point in time.
+
+          Examples include CPU utilization, memory usage, or device temperature.
+
+          Metric events are often collected on a predictable frequency, such as once
+          every few seconds, or once a minute, but can also be used to describe ad-hoc
+          numeric metric queries.'
+        name: metric
+      - description: 'The state value is similar to metric, indicating that this event
+          describes a measurement taken at given point in time, except that the measurement
+          does not result in a numeric value, but rather one of a fixed set of categorical
+          values that represent conditions or states.
+
+          Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red),
+          the state of a TCP connection (open, closed, fin_wait, etc.), the state
+          of a host with respect to a software vulnerability (vulnerable, not vulnerable),
+          and the state of a system regarding compliance with a regulatory standard
+          (compliant, not compliant).
+
+          Note that an event that describes a change of state would not use `event.kind:state`,
+          but instead would use ''event.kind:event'' since a state change fits the
+          more general event definition of something that happened.
+
+          State events are often collected on a predictable frequency, such as once
+          every few seconds, once a minute, once an hour, or once a day, but can also
+          be used to describe ad-hoc state queries.'
+        name: state
+      - description: This value indicates that an error occurred during the ingestion
+          of this event, and that event data may be missing, inconsistent, or incorrect.
+          `event.kind:pipeline_error` is often associated with parsing errors.
+        name: pipeline_error
+      - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch
+          document that was created by a SIEM detection engine rule.
+
+          A signal will typically trigger a notification that something meaningful
+          happened and should be investigated.
+
+          Usage of this value is reserved, and pipelines should not populate `event.kind`
+          with the value "signal".'
+        name: signal
+      dashed_name: event-kind
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        highest level in the ECS category hierarchy.
+
+        `event.kind` gives high-level information about what type of information the
+        event contains, without being specific to the contents of the event. For example,
+        values of this field distinguish alert events from metric events.
+
+        The value of this field can be used to inform how these kinds of events should
+        be handled. They may warrant different retention, different access control,
+        it may also help understand whether the data coming in at a regular interval
+        or not.'
+      example: alert
+      flat_name: event.kind
+      ignore_above: 1024
+      level: core
+      name: kind
+      normalize: []
+      short: The kind of the event. The highest categorization field in the hierarchy.
+      type: keyword
+    event.module:
+      dashed_name: event-module
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+      flat_name: event.module
+      ignore_above: 1024
+      level: core
+      name: module
+      normalize: []
+      short: Name of the module this data is coming from.
+      type: keyword
+    event.original:
+      dashed_name: event-original
+      description: 'Raw text message of entire event. Used to demonstrate log integrity.
+
+        This field is not indexed and doc_values are disabled. It cannot be searched,
+        but it can be retrieved from `_source`.'
+      doc_values: false
+      example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
+        worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
+      flat_name: event.original
+      index: false
+      level: core
+      name: original
+      normalize: []
+      short: Raw text message of entire event.
+      type: wildcard
+    event.outcome:
+      allowed_values:
+      - description: Indicates that this event describes a failed result. A common
+          example is `event.category:file AND event.type:access AND event.outcome:failure`
+          to indicate that a file access was attempted, but was not successful.
+        name: failure
+      - description: Indicates that this event describes a successful result. A common
+          example is `event.category:file AND event.type:create AND event.outcome:success`
+          to indicate that a file was successfully created.
+        name: success
+      - description: Indicates that this event describes only an attempt for which
+          the result is unknown from the perspective of the event producer. For example,
+          if the event contains information only about the request side of a transaction
+          that results in a response, populating `event.outcome:unknown` in the request
+          event is appropriate. The unknown value should not be used when an outcome
+          doesn't make logical sense for the event. In such cases `event.outcome`
+          should not be populated.
+        name: unknown
+      dashed_name: event-outcome
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        lowest level in the ECS category hierarchy.
+
+        `event.outcome` simply denotes whether the event represents a success or a
+        failure from the perspective of the entity that produced the event.
+
+        Note that when a single transaction is described in multiple events, each
+        event may populate different values of `event.outcome`, according to their
+        perspective.
+
+        Also note that in the case of a compound event (a single event that contains
+        multiple logical events), this field should be populated with the value that
+        best captures the overall success or failure from the perspective of the event
+        producer.
+
+        Further note that not all events will have an associated outcome. For example,
+        this field is generally not populated for metric events, events with `event.type:info`,
+        or any events for which an outcome does not make logical sense.'
+      example: success
+      flat_name: event.outcome
+      ignore_above: 1024
+      level: core
+      name: outcome
+      normalize: []
+      short: The outcome of the event. The lowest level categorization field in the
+        hierarchy.
+      type: keyword
+    event.provider:
+      dashed_name: event-provider
+      description: 'Source of the event.
+
+        Event transports such as Syslog or the Windows Event Log typically mention
+        the source of an event. It can be the name of the software that generated
+        the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
+        (kernel, Microsoft-Windows-Security-Auditing).'
+      example: kernel
+      flat_name: event.provider
+      ignore_above: 1024
+      level: extended
+      name: provider
+      normalize: []
+      short: Source of the event.
+      type: keyword
+    event.reason:
+      dashed_name: event-reason
+      description: 'Reason why this event happened, according to the source.
+
+        This describes the why of a particular action or outcome captured in the event.
+        Where `event.action` captures the action from the event, `event.reason` describes
+        why that action was taken. For example, a web proxy with an `event.action`
+        which denied the request may also populate `event.reason` with the reason
+        why (e.g. `blocked site`).'
+      example: Terminated an unexpected process
+      flat_name: event.reason
+      ignore_above: 1024
+      level: extended
+      name: reason
+      normalize: []
+      short: Reason why this event happened, according to the source
+      type: keyword
+    event.reference:
+      dashed_name: event-reference
+      description: 'Reference URL linking to additional information about this event.
+
+        This URL links to a static definition of the this event. Alert events, indicated
+        by `event.kind:alert`, are a common use case for this field.'
+      example: https://system.example.com/event/#0001234
+      flat_name: event.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: Event reference URL
+      type: keyword
+    event.risk_score:
+      dashed_name: event-risk-score
+      description: Risk score or priority of the event (e.g. security solutions).
+        Use your system's original value here.
+      flat_name: event.risk_score
+      level: core
+      name: risk_score
+      normalize: []
+      short: Risk score or priority of the event (e.g. security solutions). Use your
+        system's original value here.
+      type: float
+    event.risk_score_norm:
+      dashed_name: event-risk-score-norm
+      description: 'Normalized risk score or priority of the event, on a scale of
+        0 to 100.
+
+        This is mainly useful if you use more than one system that assigns risk scores,
+        and you want to see a normalized value across all systems.'
+      flat_name: event.risk_score_norm
+      level: extended
+      name: risk_score_norm
+      normalize: []
+      short: Normalized risk score or priority of the event (0-100).
+      type: float
+    event.sequence:
+      dashed_name: event-sequence
+      description: 'Sequence number of the event.
+
+        The sequence number is a value published by some event sources, to make the
+        exact ordering of events unambiguous, regardless of the timestamp precision.'
+      flat_name: event.sequence
+      format: string
+      level: extended
+      name: sequence
+      normalize: []
+      short: Sequence number of the event.
+      type: long
+    event.severity:
+      dashed_name: event-severity
+      description: 'The numeric severity of the event according to your event source.
+
+        What the different severity values mean can be different between sources and
+        use cases. It''s up to the implementer to make sure severities are consistent
+        across events from the same source.
+
+        The Syslog severity belongs in `log.syslog.severity.code`. `event.severity`
+        is meant to represent the severity according to the event source (e.g. firewall,
+        IDS). If the event source does not publish its own severity, you may optionally
+        copy the `log.syslog.severity.code` to `event.severity`.'
+      example: 7
+      flat_name: event.severity
+      format: string
+      level: core
+      name: severity
+      normalize: []
+      short: Numeric severity of the event.
+      type: long
+    event.start:
+      dashed_name: event-start
+      description: event.start contains the date when the event started or when the
+        activity was first observed.
+      flat_name: event.start
+      level: extended
+      name: start
+      normalize: []
+      short: event.start contains the date when the event started or when the activity
+        was first observed.
+      type: date
+    event.timezone:
+      dashed_name: event-timezone
+      description: 'This field should be populated when the event''s timestamp does
+        not include timezone information already (e.g. default Syslog timestamps).
+        It''s optional otherwise.
+
+        Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
+        abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
+      flat_name: event.timezone
+      ignore_above: 1024
+      level: extended
+      name: timezone
+      normalize: []
+      short: Event time zone.
+      type: keyword
+    event.type:
+      allowed_values:
+      - description: The access event type is used for the subset of events within
+          a category that indicate that something was accessed. Common examples include
+          `event.category:database AND event.type:access`, or `event.category:file
+          AND event.type:access`. Note for file access, both directory listings and
+          file opens should be included in this subcategory. You can further distinguish
+          access operations using the ECS `event.action` field.
+        name: access
+      - description: 'The admin event type is used for the subset of events within
+          a category that are related to admin objects. For example, administrative
+          changes within an IAM framework that do not specifically affect a user or
+          group (e.g., adding new applications to a federation solution or connecting
+          discrete forests in Active Directory) would fall into this subcategory.
+          Common example: `event.category:iam AND event.type:change AND event.type:admin`.
+          You can further distinguish admin operations using the ECS `event.action`
+          field.'
+        name: admin
+      - description: The allowed event type is used for the subset of events within
+          a category that indicate that something was allowed. Common examples include
+          `event.category:network AND event.type:connection AND event.type:allowed`
+          (to indicate a network firewall event for which the firewall disposition
+          was to allow the connection to complete) and `event.category:intrusion_detection
+          AND event.type:allowed` (to indicate a network intrusion prevention system
+          event for which the IPS disposition was to allow the connection to complete).
+          You can further distinguish allowed operations using the ECS `event.action`
+          field, populating with values of your choosing, such as "allow", "detect",
+          or "pass".
+        name: allowed
+      - description: The change event type is used for the subset of events within
+          a category that indicate that something has changed. If semantics best describe
+          an event as modified, then include them in this subcategory. Common examples
+          include `event.category:process AND event.type:change`, and `event.category:file
+          AND event.type:change`. You can further distinguish change operations using
+          the ECS `event.action` field.
+        name: change
+      - description: Used primarily with `event.category:network` this value is used
+          for the subset of network traffic that includes sufficient information for
+          the event to be included in flow or connection analysis. Events in this
+          subcategory will contain at least source and destination IP addresses, source
+          and destination TCP/UDP ports, and will usually contain counts of bytes
+          and/or packets transferred. Events in this subcategory may contain unidirectional
+          or bidirectional information, including summary information. Use this subcategory
+          to visualize and analyze network connections. Flow analysis, including Netflow,
+          IPFIX, and other flow-related events fit in this subcategory. Note that
+          firewall events from many Next-Generation Firewall (NGFW) devices will also
+          fit into this subcategory.  A common filter for flow/connection information
+          would be `event.category:network AND event.type:connection AND event.type:end`
+          (to view or analyze all completed network connections, ignoring mid-flow
+          reports). You can further distinguish connection events using the ECS `event.action`
+          field, populating with values of your choosing, such as "timeout", or "reset".
+        name: connection
+      - description: The "creation" event type is used for the subset of events within
+          a category that indicate that something was created. A common example is
+          `event.category:file AND event.type:creation`.
+        name: creation
+      - description: The deletion event type is used for the subset of events within
+          a category that indicate that something was deleted. A common example is
+          `event.category:file AND event.type:deletion` to indicate that a file has
+          been deleted.
+        name: deletion
+      - description: The denied event type is used for the subset of events within
+          a category that indicate that something was denied. Common examples include
+          `event.category:network AND event.type:denied` (to indicate a network firewall
+          event for which the firewall disposition was to deny the connection) and
+          `event.category:intrusion_detection AND event.type:denied` (to indicate
+          a network intrusion prevention system event for which the IPS disposition
+          was to deny the connection to complete). You can further distinguish denied
+          operations using the ECS `event.action` field, populating with values of
+          your choosing, such as "blocked", "dropped", or "quarantined".
+        name: denied
+      - description: The end event type is used for the subset of events within a
+          category that indicate something has ended. A common example is `event.category:process
+          AND event.type:end`.
+        name: end
+      - description: The error event type is used for the subset of events within
+          a category that indicate or describe an error. A common example is `event.category:database
+          AND event.type:error`. Note that pipeline errors that occur during the event
+          ingestion process should not use this `event.type` value. Instead, they
+          should use `event.kind:pipeline_error`.
+        name: error
+      - description: 'The group event type is used for the subset of events within
+          a category that are related to group objects. Common example: `event.category:iam
+          AND event.type:creation AND event.type:group`. You can further distinguish
+          group operations using the ECS `event.action` field.'
+        name: group
+      - description: The info event type is used for the subset of events within a
+          category that indicate that they are purely informational, and don't report
+          a state change, or any type of action. For example, an initial run of a
+          file integrity monitoring system (FIM), where an agent reports all files
+          under management, would fall into the "info" subcategory. Similarly, an
+          event containing a dump of all currently running processes (as opposed to
+          reporting that a process started/ended) would fall into the "info" subcategory.
+          An additional common examples is `event.category:intrusion_detection AND
+          event.type:info`.
+        name: info
+      - description: The installation event type is used for the subset of events
+          within a category that indicate that something was installed. A common example
+          is `event.category:package` AND `event.type:installation`.
+        name: installation
+      - description: The protocol event type is used for the subset of events within
+          a category that indicate that they contain protocol details or analysis,
+          beyond simply identifying the protocol. Generally, network events that contain
+          specific protocol details will fall into this subcategory. A common example
+          is `event.category:network AND event.type:protocol AND event.type:connection
+          AND event.type:end` (to indicate that the event is a network connection
+          event sent at the end of a connection that also includes a protocol detail
+          breakdown). Note that events that only indicate the name or id of the protocol
+          should not use the protocol value. Further note that when the protocol subcategory
+          is used, the identified protocol is populated in the ECS `network.protocol`
+          field.
+        name: protocol
+      - description: The start event type is used for the subset of events within
+          a category that indicate something has started. A common example is `event.category:process
+          AND event.type:start`.
+        name: start
+      - description: 'The user event type is used for the subset of events within
+          a category that are related to user objects. Common example: `event.category:iam
+          AND event.type:deletion AND event.type:user`. You can further distinguish
+          user operations using the ECS `event.action` field.'
+        name: user
+      dashed_name: event-type
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        third level in the ECS category hierarchy.
+
+        `event.type` represents a categorization "sub-bucket" that, when used along
+        with the `event.category` field values, enables filtering events down to a
+        level appropriate for single visualization.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple event types.'
+      flat_name: event.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      short: Event type. The third categorization field in the hierarchy.
+      type: keyword
+    event.url:
+      dashed_name: event-url
+      description: 'URL linking to an external system to continue investigation of
+        this event.
+
+        This URL links to another system where in-depth investigation of the specific
+        occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
+        are a common use case for this field.'
+      example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
+      flat_name: event.url
+      ignore_above: 1024
+      level: extended
+      name: url
+      normalize: []
+      short: Event investigation URL
+      type: keyword
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+file:
+  description: 'A file is defined as a set of information that has been created on,
+    or has existed on a filesystem.
+
+    File objects can be associated with host events, network events, and/or file events
+    (e.g., those produced by File Integrity Monitoring [FIM] products or services).
+    File fields provide details about the affected file associated with the event
+    or metric.'
+  fields:
+    file.accessed:
+      dashed_name: file-accessed
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
+      flat_name: file.accessed
+      level: extended
+      name: accessed
+      normalize: []
+      short: Last time the file was accessed.
+      type: date
+    file.attributes:
+      dashed_name: file-attributes
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
+      flat_name: file.attributes
+      ignore_above: 1024
+      level: extended
+      name: attributes
+      normalize:
+      - array
+      short: Array of file attributes.
+      type: keyword
+    file.code_signature.exists:
+      dashed_name: file-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: file.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    file.code_signature.status:
+      dashed_name: file-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: file.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    file.code_signature.subject_name:
+      dashed_name: file-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: file.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    file.code_signature.trusted:
+      dashed_name: file-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: file.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    file.code_signature.valid:
+      dashed_name: file-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: file.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    file.created:
+      dashed_name: file-created
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
+      flat_name: file.created
+      level: extended
+      name: created
+      normalize: []
+      short: File creation time.
+      type: date
+    file.ctime:
+      dashed_name: file-ctime
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      flat_name: file.ctime
+      level: extended
+      name: ctime
+      normalize: []
+      short: Last time the file attributes or metadata changed.
+      type: date
+    file.device:
+      dashed_name: file-device
+      description: Device that is the source of the file.
+      example: sda
+      flat_name: file.device
+      ignore_above: 1024
+      level: extended
+      name: device
+      normalize: []
+      short: Device that is the source of the file.
+      type: keyword
+    file.directory:
+      dashed_name: file-directory
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
+      flat_name: file.directory
+      level: extended
+      name: directory
+      normalize: []
+      short: Directory where the file is located.
+      type: wildcard
+    file.drive_letter:
+      dashed_name: file-drive-letter
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
+      flat_name: file.drive_letter
+      ignore_above: 1
+      level: extended
+      name: drive_letter
+      normalize: []
+      short: Drive letter where the file is located.
+      type: keyword
+    file.extension:
+      dashed_name: file-extension
+      description: File extension.
+      example: png
+      flat_name: file.extension
+      ignore_above: 1024
+      level: extended
+      name: extension
+      normalize: []
+      short: File extension.
+      type: keyword
+    file.gid:
+      dashed_name: file-gid
+      description: Primary group ID (GID) of the file.
+      example: '1001'
+      flat_name: file.gid
+      ignore_above: 1024
+      level: extended
+      name: gid
+      normalize: []
+      short: Primary group ID (GID) of the file.
+      type: keyword
+    file.group:
+      dashed_name: file-group
+      description: Primary group name of the file.
+      example: alice
+      flat_name: file.group
+      ignore_above: 1024
+      level: extended
+      name: group
+      normalize: []
+      short: Primary group name of the file.
+      type: keyword
+    file.hash.md5:
+      dashed_name: file-hash-md5
+      description: MD5 hash.
+      flat_name: file.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    file.hash.sha1:
+      dashed_name: file-hash-sha1
+      description: SHA1 hash.
+      flat_name: file.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    file.hash.sha256:
+      dashed_name: file-hash-sha256
+      description: SHA256 hash.
+      flat_name: file.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    file.hash.sha512:
+      dashed_name: file-hash-sha512
+      description: SHA512 hash.
+      flat_name: file.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    file.inode:
+      dashed_name: file-inode
+      description: Inode representing the file in the filesystem.
+      example: '256383'
+      flat_name: file.inode
+      ignore_above: 1024
+      level: extended
+      name: inode
+      normalize: []
+      short: Inode representing the file in the filesystem.
+      type: keyword
+    file.mime_type:
+      dashed_name: file-mime-type
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
+      flat_name: file.mime_type
+      ignore_above: 1024
+      level: extended
+      name: mime_type
+      normalize: []
+      short: Media type of file, document, or arrangement of bytes.
+      type: keyword
+    file.mode:
+      dashed_name: file-mode
+      description: Mode of the file in octal representation.
+      example: '0640'
+      flat_name: file.mode
+      ignore_above: 1024
+      level: extended
+      name: mode
+      normalize: []
+      short: Mode of the file in octal representation.
+      type: keyword
+    file.mtime:
+      dashed_name: file-mtime
+      description: Last time the file content was modified.
+      flat_name: file.mtime
+      level: extended
+      name: mtime
+      normalize: []
+      short: Last time the file content was modified.
+      type: date
+    file.name:
+      dashed_name: file-name
+      description: Name of the file including the extension, without the directory.
+      example: example.png
+      flat_name: file.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Name of the file including the extension, without the directory.
+      type: keyword
+    file.owner:
+      dashed_name: file-owner
+      description: File owner's username.
+      example: alice
+      flat_name: file.owner
+      ignore_above: 1024
+      level: extended
+      name: owner
+      normalize: []
+      short: File owner's username.
+      type: keyword
+    file.path:
+      dashed_name: file-path
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
+      flat_name: file.path
+      level: extended
+      multi_fields:
+      - flat_name: file.path.text
+        name: text
+        norms: false
+        type: text
+      name: path
+      normalize: []
+      short: Full path to the file, including the file name.
+      type: wildcard
+    file.pe.architecture:
+      dashed_name: file-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: file.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    file.pe.company:
+      dashed_name: file-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: file.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    file.pe.description:
+      dashed_name: file-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: file.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    file.pe.file_version:
+      dashed_name: file-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: file.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    file.pe.imphash:
+      dashed_name: file-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: file.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    file.pe.original_file_name:
+      dashed_name: file-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: file.pe.original_file_name
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: wildcard
+    file.pe.product:
+      dashed_name: file-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: file.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    file.size:
+      dashed_name: file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: file.size
+      level: extended
+      name: size
+      normalize: []
+      short: File size in bytes.
+      type: long
+    file.target_path:
+      dashed_name: file-target-path
+      description: Target path for symlinks.
+      flat_name: file.target_path
+      level: extended
+      multi_fields:
+      - flat_name: file.target_path.text
+        name: text
+        norms: false
+        type: text
+      name: target_path
+      normalize: []
+      short: Target path for symlinks.
+      type: wildcard
+    file.type:
+      dashed_name: file-type
+      description: File type (file, dir, or symlink).
+      example: file
+      flat_name: file.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      short: File type (file, dir, or symlink).
+      type: keyword
+    file.uid:
+      dashed_name: file-uid
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      flat_name: file.uid
+      ignore_above: 1024
+      level: extended
+      name: uid
+      normalize: []
+      short: The user ID (UID) or security identifier (SID) of the file owner.
+      type: keyword
+    file.x509.alternative_names:
+      dashed_name: file-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: file.x509.alternative_names
+      ignore_above: 1024
+      level: extended
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
+      type: keyword
+    file.x509.issuer.common_name:
+      dashed_name: file-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: file.x509.issuer.common_name
+      ignore_above: 1024
+      level: extended
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
+      type: keyword
+    file.x509.issuer.country:
+      dashed_name: file-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: file.x509.issuer.country
+      ignore_above: 1024
+      level: extended
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
+      type: keyword
+    file.x509.issuer.distinguished_name:
+      dashed_name: file-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: file.x509.issuer.distinguished_name
+      level: extended
+      name: issuer.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
+      type: wildcard
+    file.x509.issuer.locality:
+      dashed_name: file-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: file.x509.issuer.locality
+      ignore_above: 1024
+      level: extended
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    file.x509.issuer.organization:
+      dashed_name: file-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: file.x509.issuer.organization
+      ignore_above: 1024
+      level: extended
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
+      type: keyword
+    file.x509.issuer.organizational_unit:
+      dashed_name: file-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: file.x509.issuer.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
+      type: keyword
+    file.x509.issuer.state_or_province:
+      dashed_name: file-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: file.x509.issuer.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    file.x509.not_after:
+      dashed_name: file-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: file.x509.not_after
+      level: extended
+      name: not_after
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    file.x509.not_before:
+      dashed_name: file-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: file.x509.not_before
+      level: extended
+      name: not_before
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
+      type: date
+    file.x509.public_key_algorithm:
+      dashed_name: file-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: file.x509.public_key_algorithm
+      ignore_above: 1024
+      level: extended
+      name: public_key_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
+      type: keyword
+    file.x509.public_key_curve:
+      dashed_name: file-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: file.x509.public_key_curve
+      ignore_above: 1024
+      level: extended
+      name: public_key_curve
+      normalize: []
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
+      type: keyword
+    file.x509.public_key_exponent:
+      dashed_name: file-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: file.x509.public_key_exponent
+      index: false
+      level: extended
+      name: public_key_exponent
+      normalize: []
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    file.x509.public_key_size:
+      dashed_name: file-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: file.x509.public_key_size
+      level: extended
+      name: public_key_size
+      normalize: []
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    file.x509.serial_number:
+      dashed_name: file-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: file.x509.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
+      type: keyword
+    file.x509.signature_algorithm:
+      dashed_name: file-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: file.x509.signature_algorithm
+      ignore_above: 1024
+      level: extended
+      name: signature_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
+      type: keyword
+    file.x509.subject.common_name:
+      dashed_name: file-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: file.x509.subject.common_name
+      ignore_above: 1024
+      level: extended
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
+      type: keyword
+    file.x509.subject.country:
+      dashed_name: file-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: file.x509.subject.country
+      ignore_above: 1024
+      level: extended
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
+      type: keyword
+    file.x509.subject.distinguished_name:
+      dashed_name: file-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: file.x509.subject.distinguished_name
+      level: extended
+      name: subject.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
+      type: wildcard
+    file.x509.subject.locality:
+      dashed_name: file-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: file.x509.subject.locality
+      ignore_above: 1024
+      level: extended
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    file.x509.subject.organization:
+      dashed_name: file-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: file.x509.subject.organization
+      ignore_above: 1024
+      level: extended
+      name: subject.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
+      type: keyword
+    file.x509.subject.organizational_unit:
+      dashed_name: file-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: file.x509.subject.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
+      type: keyword
+    file.x509.subject.state_or_province:
+      dashed_name: file-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: file.x509.subject.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: subject.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    file.x509.version_number:
+      dashed_name: file-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: file.x509.version_number
+      ignore_above: 1024
+      level: extended
+      name: version_number
+      normalize: []
+      original_fieldset: x509
+      short: Version of x509 format.
+      type: keyword
+  group: 2
+  name: file
+  nestings:
+  - file.code_signature
+  - file.hash
+  - file.pe
+  - file.x509
+  prefix: file.
+  reused_here:
+  - full: file.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
+  - full: file.hash
+    schema_name: hash
+    short: Hashes, usually file hashes.
+  - full: file.pe
+    schema_name: pe
+    short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: file.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
+  short: Fields describing files.
+  title: File
+  type: group
+geo:
+  description: 'Geo fields can carry data about a specific location related to an
+    event.
+
+    This geolocation information can be derived from techniques such as Geo IP, or
+    be user-supplied.'
+  fields:
+    geo.city_name:
+      dashed_name: geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      short: City name.
+      type: keyword
+    geo.continent_name:
+      dashed_name: geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      short: Name of the continent.
+      type: keyword
+    geo.country_iso_code:
+      dashed_name: geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      short: Country ISO code.
+      type: keyword
+    geo.country_name:
+      dashed_name: geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      short: Country name.
+      type: keyword
+    geo.location:
+      dashed_name: geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: geo.location
+      level: core
+      name: location
+      normalize: []
+      short: Longitude and latitude.
+      type: geo_point
+    geo.name:
+      dashed_name: geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: geo.name
+      level: extended
+      name: name
+      normalize: []
+      short: User-defined description of a location.
+      type: wildcard
+    geo.region_iso_code:
+      dashed_name: geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      short: Region ISO code.
+      type: keyword
+    geo.region_name:
+      dashed_name: geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      short: Region name.
+      type: keyword
+  group: 2
+  name: geo
+  prefix: geo.
+  reusable:
+    expected:
+    - as: geo
+      at: client
+      full: client.geo
+    - as: geo
+      at: destination
+      full: destination.geo
+    - as: geo
+      at: observer
+      full: observer.geo
+    - as: geo
+      at: host
+      full: host.geo
+    - as: geo
+      at: server
+      full: server.geo
+    - as: geo
+      at: source
+      full: source.geo
+    top_level: false
+  short: Fields describing a location.
+  title: Geo
+  type: group
+group:
+  description: The group fields are meant to represent groups that are relevant to
+    the event.
+  fields:
+    group.domain:
+      dashed_name: group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Name of the directory the group is a member of.
+      type: keyword
+    group.id:
+      dashed_name: group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    group.name:
+      dashed_name: group-name
+      description: Name of the group.
+      flat_name: group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Name of the group.
+      type: keyword
+  group: 2
+  name: group
+  prefix: group.
+  reusable:
+    expected:
+    - as: group
+      at: user
+      full: user.group
+    top_level: true
+  short: User's group relevant to the event.
+  title: Group
+  type: group
+hash:
+  description: 'The hash fields represent different hash algorithms and their values.
+
+    Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
+    other hashes by lowercasing the hash algorithm name and using underscore separators
+    as appropriate (snake case, e.g. sha3_512).'
+  fields:
+    hash.md5:
+      dashed_name: hash-md5
+      description: MD5 hash.
+      flat_name: hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      short: MD5 hash.
+      type: keyword
+    hash.sha1:
+      dashed_name: hash-sha1
+      description: SHA1 hash.
+      flat_name: hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      short: SHA1 hash.
+      type: keyword
+    hash.sha256:
+      dashed_name: hash-sha256
+      description: SHA256 hash.
+      flat_name: hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      short: SHA256 hash.
+      type: keyword
+    hash.sha512:
+      dashed_name: hash-sha512
+      description: SHA512 hash.
+      flat_name: hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      short: SHA512 hash.
+      type: keyword
+  group: 2
+  name: hash
+  prefix: hash.
+  reusable:
+    expected:
+    - as: hash
+      at: file
+      full: file.hash
+    - as: hash
+      at: process
+      full: process.hash
+    - as: hash
+      at: dll
+      full: dll.hash
+    top_level: false
+  short: Hashes, usually file hashes.
+  title: Hash
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.architecture:
+      dashed_name: host-architecture
+      description: Operating system architecture.
+      example: x86_64
+      flat_name: host.architecture
+      ignore_above: 1024
+      level: core
+      name: architecture
+      normalize: []
+      short: Operating system architecture.
+      type: keyword
+    host.domain:
+      dashed_name: host-domain
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain
+        or NetBIOS domain name. For Linux this could be the domain of the host''s
+        LDAP provider.'
+      example: CONTOSO
+      flat_name: host.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Name of the directory the group is a member of.
+      type: keyword
+    host.geo.city_name:
+      dashed_name: host-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: host.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    host.geo.continent_name:
+      dashed_name: host-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: host.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    host.geo.country_iso_code:
+      dashed_name: host-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: host.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    host.geo.country_name:
+      dashed_name: host-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: host.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    host.geo.location:
+      dashed_name: host-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: host.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    host.geo.name:
+      dashed_name: host-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: host.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    host.geo.region_iso_code:
+      dashed_name: host-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: host.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    host.geo.region_name:
+      dashed_name: host-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: host.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    host.hostname:
+      dashed_name: host-hostname
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+      flat_name: host.hostname
+      level: core
+      name: hostname
+      normalize: []
+      short: Hostname of the host.
+      type: wildcard
+    host.id:
+      dashed_name: host-id
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+      flat_name: host.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique host id.
+      type: keyword
+    host.ip:
+      dashed_name: host-ip
+      description: Host ip addresses.
+      flat_name: host.ip
+      level: core
+      name: ip
+      normalize:
+      - array
+      short: Host ip addresses.
+      type: ip
+    host.mac:
+      dashed_name: host-mac
+      description: Host mac addresses.
+      flat_name: host.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize:
+      - array
+      short: Host mac addresses.
+      type: keyword
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+    host.os.family:
+      dashed_name: host-os-family
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+      flat_name: host.os.family
+      ignore_above: 1024
+      level: extended
+      name: family
+      normalize: []
+      original_fieldset: os
+      short: OS family (such as redhat, debian, freebsd, windows).
+      type: keyword
+    host.os.full:
+      dashed_name: host-os-full
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+      flat_name: host.os.full
+      level: extended
+      multi_fields:
+      - flat_name: host.os.full.text
+        name: text
+        norms: false
+        type: text
+      name: full
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, including the version or code name.
+      type: wildcard
+    host.os.kernel:
+      dashed_name: host-os-kernel
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+      flat_name: host.os.kernel
+      ignore_above: 1024
+      level: extended
+      name: kernel
+      normalize: []
+      original_fieldset: os
+      short: Operating system kernel version as a raw string.
+      type: keyword
+    host.os.name:
+      dashed_name: host-os-name
+      description: Operating system name, without the version.
+      example: Mac OS X
+      flat_name: host.os.name
+      level: extended
+      multi_fields:
+      - flat_name: host.os.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, without the version.
+      type: wildcard
+    host.os.platform:
+      dashed_name: host-os-platform
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+      flat_name: host.os.platform
+      ignore_above: 1024
+      level: extended
+      name: platform
+      normalize: []
+      original_fieldset: os
+      short: Operating system platform (such centos, ubuntu, windows).
+      type: keyword
+    host.os.version:
+      dashed_name: host-os-version
+      description: Operating system version as a raw string.
+      example: 10.14.1
+      flat_name: host.os.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      original_fieldset: os
+      short: Operating system version as a raw string.
+      type: keyword
+    host.type:
+      dashed_name: host-type
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm,
+        this could be the container, for example, or other information meaningful
+        in your environment.'
+      flat_name: host.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: Type of host.
+      type: keyword
+    host.uptime:
+      dashed_name: host-uptime
+      description: Seconds the host has been up.
+      example: 1325
+      flat_name: host.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      short: Seconds the host has been up.
+      type: long
+    host.user.domain:
+      dashed_name: host-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: host.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    host.user.email:
+      dashed_name: host-user-email
+      description: User email address.
+      flat_name: host.user.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    host.user.full_name:
+      dashed_name: host-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: host.user.full_name
+      level: extended
+      multi_fields:
+      - flat_name: host.user.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    host.user.group.domain:
+      dashed_name: host-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: host.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    host.user.group.id:
+      dashed_name: host-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: host.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    host.user.group.name:
+      dashed_name: host-user-group-name
+      description: Name of the group.
+      flat_name: host.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    host.user.hash:
+      dashed_name: host-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: host.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    host.user.id:
+      dashed_name: host-user-id
+      description: Unique identifier of the user.
+      flat_name: host.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    host.user.name:
+      dashed_name: host-user-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: host.user.name
+      level: core
+      multi_fields:
+      - flat_name: host.user.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    host.user.roles:
+      dashed_name: host-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: host.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  - host.user
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  - full: host.user
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+http:
+  description: Fields related to HTTP activity. Use the `url` field set to store the
+    url of the request.
+  fields:
+    http.request.body.bytes:
+      dashed_name: http-request-body-bytes
+      description: Size in bytes of the request body.
+      example: 887
+      flat_name: http.request.body.bytes
+      format: bytes
+      level: extended
+      name: request.body.bytes
+      normalize: []
+      short: Size in bytes of the request body.
+      type: long
+    http.request.body.content:
+      dashed_name: http-request-body-content
+      description: The full HTTP request body.
+      example: Hello world
+      flat_name: http.request.body.content
+      level: extended
+      multi_fields:
+      - flat_name: http.request.body.content.text
+        name: text
+        norms: false
+        type: text
+      name: request.body.content
+      normalize: []
+      short: The full HTTP request body.
+      type: wildcard
+    http.request.bytes:
+      dashed_name: http-request-bytes
+      description: Total size in bytes of the request (body and headers).
+      example: 1437
+      flat_name: http.request.bytes
+      format: bytes
+      level: extended
+      name: request.bytes
+      normalize: []
+      short: Total size in bytes of the request (body and headers).
+      type: long
+    http.request.method:
+      dashed_name: http-request-method
+      description: 'HTTP request method.
+
+        Prior to ECS 1.6.0 the following guidance was provided:
+
+        "The field value must be normalized to lowercase for querying."
+
+        As of ECS 1.6.0, the guidance is deprecated because the original case of the
+        method may be useful in anomaly detection.  Original case will be mandated
+        in ECS 2.0.0'
+      example: GET, POST, PUT, PoST
+      flat_name: http.request.method
+      ignore_above: 1024
+      level: extended
+      name: request.method
+      normalize: []
+      short: HTTP request method.
+      type: keyword
+    http.request.mime_type:
+      dashed_name: http-request-mime-type
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      flat_name: http.request.mime_type
+      ignore_above: 1024
+      level: extended
+      name: request.mime_type
+      normalize: []
+      short: Mime type of the body of the request.
+      type: keyword
+    http.request.referrer:
+      dashed_name: http-request-referrer
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+      flat_name: http.request.referrer
+      level: extended
+      name: request.referrer
+      normalize: []
+      short: Referrer for this HTTP request.
+      type: wildcard
+    http.response.body.bytes:
+      dashed_name: http-response-body-bytes
+      description: Size in bytes of the response body.
+      example: 887
+      flat_name: http.response.body.bytes
+      format: bytes
+      level: extended
+      name: response.body.bytes
+      normalize: []
+      short: Size in bytes of the response body.
+      type: long
+    http.response.body.content:
+      dashed_name: http-response-body-content
+      description: The full HTTP response body.
+      example: Hello world
+      flat_name: http.response.body.content
+      level: extended
+      multi_fields:
+      - flat_name: http.response.body.content.text
+        name: text
+        norms: false
+        type: text
+      name: response.body.content
+      normalize: []
+      short: The full HTTP response body.
+      type: wildcard
+    http.response.bytes:
+      dashed_name: http-response-bytes
+      description: Total size in bytes of the response (body and headers).
+      example: 1437
+      flat_name: http.response.bytes
+      format: bytes
+      level: extended
+      name: response.bytes
+      normalize: []
+      short: Total size in bytes of the response (body and headers).
+      type: long
+    http.response.mime_type:
+      dashed_name: http-response-mime-type
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      flat_name: http.response.mime_type
+      ignore_above: 1024
+      level: extended
+      name: response.mime_type
+      normalize: []
+      short: Mime type of the body of the response.
+      type: keyword
+    http.response.status_code:
+      dashed_name: http-response-status-code
+      description: HTTP response status code.
+      example: 404
+      flat_name: http.response.status_code
+      format: string
+      level: extended
+      name: response.status_code
+      normalize: []
+      short: HTTP response status code.
+      type: long
+    http.version:
+      dashed_name: http-version
+      description: HTTP version.
+      example: 1.1
+      flat_name: http.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: HTTP version.
+      type: keyword
+  group: 2
+  name: http
+  prefix: http.
+  short: Fields describing an HTTP request.
+  title: HTTP
+  type: group
+interface:
+  description: The interface fields are used to record ingress and egress interface
+    information when reported by an observer (e.g. firewall, router, load balancer)
+    in the context of the observer handling a network connection.  In the case of
+    a single observer interface (e.g. network sensor on a span port) only the observer.ingress
+    information should be populated.
+  fields:
+    interface.alias:
+      dashed_name: interface-alias
+      description: Interface alias as reported by the system, typically used in firewall
+        implementations for e.g. inside, outside, or dmz logical interface naming.
+      example: outside
+      flat_name: interface.alias
+      ignore_above: 1024
+      level: extended
+      name: alias
+      normalize: []
+      short: Interface alias
+      type: keyword
+    interface.id:
+      dashed_name: interface-id
+      description: Interface ID as reported by an observer (typically SNMP interface
+        ID).
+      example: 10
+      flat_name: interface.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: Interface ID
+      type: keyword
+    interface.name:
+      dashed_name: interface-name
+      description: Interface name as reported by the system.
+      example: eth0
+      flat_name: interface.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Interface name
+      type: keyword
+  group: 2
+  name: interface
+  prefix: interface.
+  reusable:
+    expected:
+    - as: interface
+      at: observer.ingress
+      full: observer.ingress.interface
+    - as: interface
+      at: observer.egress
+      full: observer.egress.interface
+    top_level: false
+  short: Fields to describe observer interface information.
+  title: Interface
+  type: group
+log:
+  description: 'Details about the event''s logging mechanism or logging transport.
+
+    The log.* fields are typically populated with details about the logging mechanism
+    used to create and/or transport the event. For example, syslog details belong
+    under `log.syslog.*`.
+
+    The details specific to your event source are typically not logged under `log.*`,
+    but rather in `event.*` or in other ECS fields.'
+  fields:
+    log.file.path:
+      dashed_name: log-file-path
+      description: 'Full path to the log file this event came from, including the
+        file name. It should include the drive letter, when appropriate.
+
+        If the event wasn''t read from a log file, do not populate this field.'
+      example: /var/log/fun-times.log
+      flat_name: log.file.path
+      level: extended
+      name: file.path
+      normalize: []
+      short: Full path to the log file this event came from.
+      type: wildcard
+    log.level:
+      dashed_name: log-level
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+      flat_name: log.level
+      ignore_above: 1024
+      level: core
+      name: level
+      normalize: []
+      short: Log level of the log event.
+      type: keyword
+    log.logger:
+      dashed_name: log-logger
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+      flat_name: log.logger
+      level: core
+      name: logger
+      normalize: []
+      short: Name of the logger.
+      type: wildcard
+    log.origin.file.line:
+      dashed_name: log-origin-file-line
+      description: The line number of the file containing the source code which originated
+        the log event.
+      example: 42
+      flat_name: log.origin.file.line
+      level: extended
+      name: origin.file.line
+      normalize: []
+      short: The line number of the file which originated the log event.
+      type: integer
+    log.origin.file.name:
+      dashed_name: log-origin-file-name
+      description: 'The name of the file containing the source code which originated
+        the log event.
+
+        Note that this field is not meant to capture the log file. The correct field
+        to capture the log file is `log.file.path`.'
+      example: Bootstrap.java
+      flat_name: log.origin.file.name
+      ignore_above: 1024
+      level: extended
+      name: origin.file.name
+      normalize: []
+      short: The code file which originated the log event.
+      type: keyword
+    log.origin.function:
+      dashed_name: log-origin-function
+      description: The name of the function or method which originated the log event.
+      example: init
+      flat_name: log.origin.function
+      ignore_above: 1024
+      level: extended
+      name: origin.function
+      normalize: []
+      short: The function which originated the log event.
+      type: keyword
+    log.original:
+      dashed_name: log-original
+      description: 'This is the original log message and contains the full log message
+        before splitting it up in multiple parts.
+
+        In contrast to the `message` field which can contain an extracted part of
+        the log message, this field contains the original, full log message. It can
+        have already some modifications applied like encoding or new lines removed
+        to clean up the log message.
+
+        This field is not indexed and doc_values are disabled so it can''t be queried
+        but the value can be retrieved from `_source`.'
+      doc_values: false
+      example: Sep 19 08:26:10 localhost My log
+      flat_name: log.original
+      ignore_above: 1024
+      index: false
+      level: core
+      name: original
+      normalize: []
+      short: Original log message with light interpretation only (encoding, newlines).
+      type: keyword
+    log.syslog:
+      dashed_name: log-syslog
+      description: The Syslog metadata of the event, if the event was transmitted
+        via Syslog. Please see RFCs 5424 or 3164.
+      flat_name: log.syslog
+      level: extended
+      name: syslog
+      normalize: []
+      short: Syslog metadata
+      type: object
+    log.syslog.facility.code:
+      dashed_name: log-syslog-facility-code
+      description: 'The Syslog numeric facility of the log event, if available.
+
+        According to RFCs 5424 and 3164, this value should be an integer between 0
+        and 23.'
+      example: 23
+      flat_name: log.syslog.facility.code
+      format: string
+      level: extended
+      name: syslog.facility.code
+      normalize: []
+      short: Syslog numeric facility of the event.
+      type: long
+    log.syslog.facility.name:
+      dashed_name: log-syslog-facility-name
+      description: The Syslog text-based facility of the log event, if available.
+      example: local7
+      flat_name: log.syslog.facility.name
+      ignore_above: 1024
+      level: extended
+      name: syslog.facility.name
+      normalize: []
+      short: Syslog text-based facility of the event.
+      type: keyword
+    log.syslog.priority:
+      dashed_name: log-syslog-priority
+      description: 'Syslog numeric priority of the event, if available.
+
+        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
+        This number is therefore expected to contain a value between 0 and 191.'
+      example: 135
+      flat_name: log.syslog.priority
+      format: string
+      level: extended
+      name: syslog.priority
+      normalize: []
+      short: Syslog priority of the event.
+      type: long
+    log.syslog.severity.code:
+      dashed_name: log-syslog-severity-code
+      description: 'The Syslog numeric severity of the log event, if available.
+
+        If the event source publishing via Syslog provides a different numeric severity
+        value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
+        If the event source does not specify a distinct severity, you can optionally
+        copy the Syslog severity to `event.severity`.'
+      example: 3
+      flat_name: log.syslog.severity.code
+      level: extended
+      name: syslog.severity.code
+      normalize: []
+      short: Syslog numeric severity of the event.
+      type: long
+    log.syslog.severity.name:
+      dashed_name: log-syslog-severity-name
+      description: 'The Syslog numeric severity of the log event, if available.
+
+        If the event source publishing via Syslog provides a different severity value
+        (e.g. firewall, IDS), your source''s text severity should go to `log.level`.
+        If the event source does not specify a distinct severity, you can optionally
+        copy the Syslog severity to `log.level`.'
+      example: Error
+      flat_name: log.syslog.severity.name
+      ignore_above: 1024
+      level: extended
+      name: syslog.severity.name
+      normalize: []
+      short: Syslog text-based severity of the event.
+      type: keyword
+  group: 2
+  name: log
+  prefix: log.
+  short: Details about the event's logging mechanism.
+  title: Log
+  type: group
+network:
+  description: 'The network is defined as the communication path over which a host
+    or network event happens.
+
+    The network.* fields should be populated with details about the network activity
+    associated with an event.'
+  fields:
+    network.application:
+      dashed_name: network-application
+      description: 'A name given to an application level protocol. This can be arbitrarily
+        assigned for things like microservices, but also apply to things like skype,
+        icq, facebook, twitter. This would be used in situations where the vendor
+        or service can be decoded such as from the source/dest IP owners, ports, or
+        wire format.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: aim
+      flat_name: network.application
+      ignore_above: 1024
+      level: extended
+      name: application
+      normalize: []
+      short: Application level protocol name.
+      type: keyword
+    network.bytes:
+      dashed_name: network-bytes
+      description: 'Total bytes transferred in both directions.
+
+        If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
+        sum.'
+      example: 368
+      flat_name: network.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      short: Total bytes transferred in both directions.
+      type: long
+    network.community_id:
+      dashed_name: network-community-id
+      description: 'A hash of source and destination IPs and ports, as well as the
+        protocol used in a communication. This is a tool-agnostic standard to identify
+        flows.
+
+        Learn more at https://github.com/corelight/community-id-spec.'
+      example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+      flat_name: network.community_id
+      ignore_above: 1024
+      level: extended
+      name: community_id
+      normalize: []
+      short: A hash of source and destination IPs and ports.
+      type: keyword
+    network.direction:
+      dashed_name: network-direction
+      description: "Direction of the network traffic.\nRecommended values are:\n \
+        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
+        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
+        \ populate this field from the host's point of view, using the values \"ingress\"\
+        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
+        \ context, populate this field from the point of view of the network perimeter,\
+        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
+        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
+        \ to describe communication between two hosts within the perimeter. Note also\
+        \ that \"external\" is meant to describe traffic between two hosts that are\
+        \ external to the perimeter. This could for example be useful for ISPs or\
+        \ VPN service providers."
+      example: inbound
+      flat_name: network.direction
+      ignore_above: 1024
+      level: core
+      name: direction
+      normalize: []
+      short: Direction of the network traffic.
+      type: keyword
+    network.forwarded_ip:
+      dashed_name: network-forwarded-ip
+      description: Host IP address when the source IP address is the proxy.
+      example: 192.1.1.2
+      flat_name: network.forwarded_ip
+      level: core
+      name: forwarded_ip
+      normalize: []
+      short: Host IP address when the source IP address is the proxy.
+      type: ip
+    network.iana_number:
+      dashed_name: network-iana-number
+      description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
+        Standardized list of protocols. This aligns well with NetFlow and sFlow related
+        logs which use the IANA Protocol Number.
+      example: 6
+      flat_name: network.iana_number
+      ignore_above: 1024
+      level: extended
+      name: iana_number
+      normalize: []
+      short: IANA Protocol Number.
+      type: keyword
+    network.inner:
+      dashed_name: network-inner
+      description: Network.inner fields are added in addition to network.vlan fields
+        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
+        fields include vlan.id and vlan.name. Inner vlan fields are typically used
+        when sending traffic with multiple 802.1q encapsulations to a network sensor
+        (e.g. Zeek, Wireshark.)
+      flat_name: network.inner
+      level: extended
+      name: inner
+      normalize: []
+      short: Inner VLAN tag information
+      type: object
+    network.inner.vlan.id:
+      dashed_name: network-inner-vlan-id
+      description: VLAN ID as reported by the observer.
+      example: 10
+      flat_name: network.inner.vlan.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: vlan
+      short: VLAN ID as reported by the observer.
+      type: keyword
+    network.inner.vlan.name:
+      dashed_name: network-inner-vlan-name
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      flat_name: network.inner.vlan.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: vlan
+      short: Optional VLAN name as reported by the observer.
+      type: keyword
+    network.name:
+      dashed_name: network-name
+      description: Name given by operators to sections of their network.
+      example: Guest Wifi
+      flat_name: network.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Name given by operators to sections of their network.
+      type: keyword
+    network.packets:
+      dashed_name: network-packets
+      description: 'Total packets transferred in both directions.
+
+        If `source.packets` and `destination.packets` are known, `network.packets`
+        is their sum.'
+      example: 24
+      flat_name: network.packets
+      level: core
+      name: packets
+      normalize: []
+      short: Total packets transferred in both directions.
+      type: long
+    network.protocol:
+      dashed_name: network-protocol
+      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: http
+      flat_name: network.protocol
+      ignore_above: 1024
+      level: core
+      name: protocol
+      normalize: []
+      short: L7 Network protocol name.
+      type: keyword
+    network.transport:
+      dashed_name: network-transport
+      description: 'Same as network.iana_number, but instead using the Keyword name
+        of the transport layer (udp, tcp, ipv6-icmp, etc.)
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: tcp
+      flat_name: network.transport
+      ignore_above: 1024
+      level: core
+      name: transport
+      normalize: []
+      short: Protocol Name corresponding to the field `iana_number`.
+      type: keyword
+    network.type:
+      dashed_name: network-type
+      description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
+        ipsec, pim, etc
+
+        The field value must be normalized to lowercase for querying. See the documentation
+        section "Implementing ECS".'
+      example: ipv4
+      flat_name: network.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec,
+        pim, etc
+      type: keyword
+    network.vlan.id:
+      dashed_name: network-vlan-id
+      description: VLAN ID as reported by the observer.
+      example: 10
+      flat_name: network.vlan.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: vlan
+      short: VLAN ID as reported by the observer.
+      type: keyword
+    network.vlan.name:
+      dashed_name: network-vlan-name
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      flat_name: network.vlan.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: vlan
+      short: Optional VLAN name as reported by the observer.
+      type: keyword
+  group: 2
+  name: network
+  nestings:
+  - network.inner.vlan
+  - network.vlan
+  prefix: network.
+  reused_here:
+  - full: network.vlan
+    schema_name: vlan
+    short: Fields to describe observed VLAN information.
+  - full: network.inner.vlan
+    schema_name: vlan
+    short: Fields to describe observed VLAN information.
+  short: Fields describing the communication path over which the event happened.
+  title: Network
+  type: group
+observer:
+  description: 'An observer is defined as a special network, security, or application
+    device used to detect, observe, or create network, security, or application-related
+    events and metrics.
+
+    This could be a custom hardware appliance or a server that has been configured
+    to run special network, security, or application software. Examples include firewalls,
+    web proxies, intrusion detection/prevention systems, network monitoring sensors,
+    web application firewalls, data loss prevention systems, and APM servers. The
+    observer.* fields shall be populated with details of the system, if any, that
+    detects, observes and/or creates a network, security, or application event or
+    metric. Message queues and ETL components used in processing events or metrics
+    are not considered observers in ECS.'
+  fields:
+    observer.egress:
+      dashed_name: observer-egress
+      description: Observer.egress holds information like interface number and name,
+        vlan, and zone information to  classify egress traffic.  Single armed monitoring
+        such as a network sensor on a span port should  only use observer.ingress
+        to categorize traffic.
+      flat_name: observer.egress
+      level: extended
+      name: egress
+      normalize: []
+      short: Object field for egress information
+      type: object
+    observer.egress.interface.alias:
+      dashed_name: observer-egress-interface-alias
+      description: Interface alias as reported by the system, typically used in firewall
+        implementations for e.g. inside, outside, or dmz logical interface naming.
+      example: outside
+      flat_name: observer.egress.interface.alias
+      ignore_above: 1024
+      level: extended
+      name: alias
+      normalize: []
+      original_fieldset: interface
+      short: Interface alias
+      type: keyword
+    observer.egress.interface.id:
+      dashed_name: observer-egress-interface-id
+      description: Interface ID as reported by an observer (typically SNMP interface
+        ID).
+      example: 10
+      flat_name: observer.egress.interface.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: interface
+      short: Interface ID
+      type: keyword
+    observer.egress.interface.name:
+      dashed_name: observer-egress-interface-name
+      description: Interface name as reported by the system.
+      example: eth0
+      flat_name: observer.egress.interface.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: interface
+      short: Interface name
+      type: keyword
+    observer.egress.vlan.id:
+      dashed_name: observer-egress-vlan-id
+      description: VLAN ID as reported by the observer.
+      example: 10
+      flat_name: observer.egress.vlan.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: vlan
+      short: VLAN ID as reported by the observer.
+      type: keyword
+    observer.egress.vlan.name:
+      dashed_name: observer-egress-vlan-name
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      flat_name: observer.egress.vlan.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: vlan
+      short: Optional VLAN name as reported by the observer.
+      type: keyword
+    observer.egress.zone:
+      dashed_name: observer-egress-zone
+      description: Network zone of outbound traffic as reported by the observer to
+        categorize the destination area of egress  traffic, e.g. Internal, External,
+        DMZ, HR, Legal, etc.
+      example: Public_Internet
+      flat_name: observer.egress.zone
+      ignore_above: 1024
+      level: extended
+      name: egress.zone
+      normalize: []
+      short: Observer Egress zone
+      type: keyword
+    observer.geo.city_name:
+      dashed_name: observer-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: observer.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    observer.geo.continent_name:
+      dashed_name: observer-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: observer.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    observer.geo.country_iso_code:
+      dashed_name: observer-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: observer.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    observer.geo.country_name:
+      dashed_name: observer-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: observer.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    observer.geo.location:
+      dashed_name: observer-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: observer.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    observer.geo.name:
+      dashed_name: observer-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: observer.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    observer.geo.region_iso_code:
+      dashed_name: observer-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: observer.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    observer.geo.region_name:
+      dashed_name: observer-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: observer.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    observer.hostname:
+      dashed_name: observer-hostname
+      description: Hostname of the observer.
+      flat_name: observer.hostname
+      ignore_above: 1024
+      level: core
+      name: hostname
+      normalize: []
+      short: Hostname of the observer.
+      type: keyword
+    observer.ingress:
+      dashed_name: observer-ingress
+      description: Observer.ingress holds information like interface number and name,
+        vlan, and zone information to  classify ingress traffic.  Single armed monitoring
+        such as a network sensor on a span port should  only use observer.ingress
+        to categorize traffic.
+      flat_name: observer.ingress
+      level: extended
+      name: ingress
+      normalize: []
+      short: Object field for ingress information
+      type: object
+    observer.ingress.interface.alias:
+      dashed_name: observer-ingress-interface-alias
+      description: Interface alias as reported by the system, typically used in firewall
+        implementations for e.g. inside, outside, or dmz logical interface naming.
+      example: outside
+      flat_name: observer.ingress.interface.alias
+      ignore_above: 1024
+      level: extended
+      name: alias
+      normalize: []
+      original_fieldset: interface
+      short: Interface alias
+      type: keyword
+    observer.ingress.interface.id:
+      dashed_name: observer-ingress-interface-id
+      description: Interface ID as reported by an observer (typically SNMP interface
+        ID).
+      example: 10
+      flat_name: observer.ingress.interface.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: interface
+      short: Interface ID
+      type: keyword
+    observer.ingress.interface.name:
+      dashed_name: observer-ingress-interface-name
+      description: Interface name as reported by the system.
+      example: eth0
+      flat_name: observer.ingress.interface.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: interface
+      short: Interface name
+      type: keyword
+    observer.ingress.vlan.id:
+      dashed_name: observer-ingress-vlan-id
+      description: VLAN ID as reported by the observer.
+      example: 10
+      flat_name: observer.ingress.vlan.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: vlan
+      short: VLAN ID as reported by the observer.
+      type: keyword
+    observer.ingress.vlan.name:
+      dashed_name: observer-ingress-vlan-name
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      flat_name: observer.ingress.vlan.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: vlan
+      short: Optional VLAN name as reported by the observer.
+      type: keyword
+    observer.ingress.zone:
+      dashed_name: observer-ingress-zone
+      description: Network zone of incoming traffic as reported by the observer to
+        categorize the source area of ingress  traffic. e.g. internal, External, DMZ,
+        HR, Legal, etc.
+      example: DMZ
+      flat_name: observer.ingress.zone
+      ignore_above: 1024
+      level: extended
+      name: ingress.zone
+      normalize: []
+      short: Observer ingress zone
+      type: keyword
+    observer.ip:
+      dashed_name: observer-ip
+      description: IP addresses of the observer.
+      flat_name: observer.ip
+      level: core
+      name: ip
+      normalize:
+      - array
+      short: IP addresses of the observer.
+      type: ip
+    observer.mac:
+      dashed_name: observer-mac
+      description: MAC addresses of the observer
+      flat_name: observer.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize:
+      - array
+      short: MAC addresses of the observer
+      type: keyword
+    observer.name:
+      dashed_name: observer-name
+      description: 'Custom name of the observer.
+
+        This is a name that can be given to an observer. This can be helpful for example
+        if multiple firewalls of the same model are used in an organization.
+
+        If no custom name is needed, the field can be left empty.'
+      example: 1_proxySG
+      flat_name: observer.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Custom name of the observer.
+      type: keyword
+    observer.os.family:
+      dashed_name: observer-os-family
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+      flat_name: observer.os.family
+      ignore_above: 1024
+      level: extended
+      name: family
+      normalize: []
+      original_fieldset: os
+      short: OS family (such as redhat, debian, freebsd, windows).
+      type: keyword
+    observer.os.full:
+      dashed_name: observer-os-full
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+      flat_name: observer.os.full
+      level: extended
+      multi_fields:
+      - flat_name: observer.os.full.text
+        name: text
+        norms: false
+        type: text
+      name: full
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, including the version or code name.
+      type: wildcard
+    observer.os.kernel:
+      dashed_name: observer-os-kernel
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+      flat_name: observer.os.kernel
+      ignore_above: 1024
+      level: extended
+      name: kernel
+      normalize: []
+      original_fieldset: os
+      short: Operating system kernel version as a raw string.
+      type: keyword
+    observer.os.name:
+      dashed_name: observer-os-name
+      description: Operating system name, without the version.
+      example: Mac OS X
+      flat_name: observer.os.name
+      level: extended
+      multi_fields:
+      - flat_name: observer.os.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, without the version.
+      type: wildcard
+    observer.os.platform:
+      dashed_name: observer-os-platform
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+      flat_name: observer.os.platform
+      ignore_above: 1024
+      level: extended
+      name: platform
+      normalize: []
+      original_fieldset: os
+      short: Operating system platform (such centos, ubuntu, windows).
+      type: keyword
+    observer.os.version:
+      dashed_name: observer-os-version
+      description: Operating system version as a raw string.
+      example: 10.14.1
+      flat_name: observer.os.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      original_fieldset: os
+      short: Operating system version as a raw string.
+      type: keyword
+    observer.product:
+      dashed_name: observer-product
+      description: The product name of the observer.
+      example: s200
+      flat_name: observer.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      short: The product name of the observer.
+      type: keyword
+    observer.serial_number:
+      dashed_name: observer-serial-number
+      description: Observer serial number.
+      flat_name: observer.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      short: Observer serial number.
+      type: keyword
+    observer.type:
+      dashed_name: observer-type
+      description: 'The type of the observer the data is coming from.
+
+        There is no predefined list of observer types. Some examples are `forwarder`,
+        `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
+      example: firewall
+      flat_name: observer.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: The type of the observer the data is coming from.
+      type: keyword
+    observer.vendor:
+      dashed_name: observer-vendor
+      description: Vendor name of the observer.
+      example: Symantec
+      flat_name: observer.vendor
+      ignore_above: 1024
+      level: core
+      name: vendor
+      normalize: []
+      short: Vendor name of the observer.
+      type: keyword
+    observer.version:
+      dashed_name: observer-version
+      description: Observer version.
+      flat_name: observer.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      short: Observer version.
+      type: keyword
+  group: 2
+  name: observer
+  nestings:
+  - observer.egress.interface
+  - observer.egress.vlan
+  - observer.geo
+  - observer.ingress.interface
+  - observer.ingress.vlan
+  - observer.os
+  prefix: observer.
+  reused_here:
+  - full: observer.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: observer.ingress.interface
+    schema_name: interface
+    short: Fields to describe observer interface information.
+  - full: observer.egress.interface
+    schema_name: interface
+    short: Fields to describe observer interface information.
+  - full: observer.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  - full: observer.ingress.vlan
+    schema_name: vlan
+    short: Fields to describe observed VLAN information.
+  - full: observer.egress.vlan
+    schema_name: vlan
+    short: Fields to describe observed VLAN information.
+  short: Fields describing an entity observing the event from outside the host.
+  title: Observer
+  type: group
+organization:
+  description: 'The organization fields enrich data with information about the company
+    or entity the data is associated with.
+
+    These fields help you arrange or filter data stored in an index by one or multiple
+    organizations.'
+  fields:
+    organization.id:
+      dashed_name: organization-id
+      description: Unique identifier for the organization.
+      flat_name: organization.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: Unique identifier for the organization.
+      type: keyword
+    organization.name:
+      dashed_name: organization-name
+      description: Organization name.
+      flat_name: organization.name
+      level: extended
+      multi_fields:
+      - flat_name: organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      short: Organization name.
+      type: wildcard
+  group: 2
+  name: organization
+  prefix: organization.
+  short: Fields describing the organization or company the event is associated with.
+  title: Organization
+  type: group
+os:
+  description: The OS fields contain information about the operating system.
+  fields:
+    os.family:
+      dashed_name: os-family
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+      flat_name: os.family
+      ignore_above: 1024
+      level: extended
+      name: family
+      normalize: []
+      short: OS family (such as redhat, debian, freebsd, windows).
+      type: keyword
+    os.full:
+      dashed_name: os-full
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+      flat_name: os.full
+      level: extended
+      multi_fields:
+      - flat_name: os.full.text
+        name: text
+        norms: false
+        type: text
+      name: full
+      normalize: []
+      short: Operating system name, including the version or code name.
+      type: wildcard
+    os.kernel:
+      dashed_name: os-kernel
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+      flat_name: os.kernel
+      ignore_above: 1024
+      level: extended
+      name: kernel
+      normalize: []
+      short: Operating system kernel version as a raw string.
+      type: keyword
+    os.name:
+      dashed_name: os-name
+      description: Operating system name, without the version.
+      example: Mac OS X
+      flat_name: os.name
+      level: extended
+      multi_fields:
+      - flat_name: os.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      short: Operating system name, without the version.
+      type: wildcard
+    os.platform:
+      dashed_name: os-platform
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+      flat_name: os.platform
+      ignore_above: 1024
+      level: extended
+      name: platform
+      normalize: []
+      short: Operating system platform (such centos, ubuntu, windows).
+      type: keyword
+    os.version:
+      dashed_name: os-version
+      description: Operating system version as a raw string.
+      example: 10.14.1
+      flat_name: os.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: Operating system version as a raw string.
+      type: keyword
+  group: 2
+  name: os
+  prefix: os.
+  reusable:
+    expected:
+    - as: os
+      at: observer
+      full: observer.os
+    - as: os
+      at: host
+      full: host.os
+    - as: os
+      at: user_agent
+      full: user_agent.os
+    top_level: false
+  short: OS fields contain information about the operating system.
+  title: Operating System
+  type: group
+package:
+  description: These fields contain information about an installed software package.
+    It contains general information about a package, such as name, version or size.
+    It also contains installation details, such as time or location.
+  fields:
+    package.architecture:
+      dashed_name: package-architecture
+      description: Package architecture.
+      example: x86_64
+      flat_name: package.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      short: Package architecture.
+      type: keyword
+    package.build_version:
+      dashed_name: package-build-version
+      description: 'Additional information about the build version of the installed
+        package.
+
+        For example use the commit SHA of a non-released package.'
+      example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+      flat_name: package.build_version
+      ignore_above: 1024
+      level: extended
+      name: build_version
+      normalize: []
+      short: Build version information
+      type: keyword
+    package.checksum:
+      dashed_name: package-checksum
+      description: Checksum of the installed package for verification.
+      example: 68b329da9893e34099c7d8ad5cb9c940
+      flat_name: package.checksum
+      ignore_above: 1024
+      level: extended
+      name: checksum
+      normalize: []
+      short: Checksum of the installed package for verification.
+      type: keyword
+    package.description:
+      dashed_name: package-description
+      description: Description of the package.
+      example: Open source programming language to build simple/reliable/efficient
+        software.
+      flat_name: package.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      short: Description of the package.
+      type: keyword
+    package.install_scope:
+      dashed_name: package-install-scope
+      description: Indicating how the package was installed, e.g. user-local, global.
+      example: global
+      flat_name: package.install_scope
+      ignore_above: 1024
+      level: extended
+      name: install_scope
+      normalize: []
+      short: Indicating how the package was installed, e.g. user-local, global.
+      type: keyword
+    package.installed:
+      dashed_name: package-installed
+      description: Time when package was installed.
+      flat_name: package.installed
+      level: extended
+      name: installed
+      normalize: []
+      short: Time when package was installed.
+      type: date
+    package.license:
+      dashed_name: package-license
+      description: 'License under which the package was released.
+
+        Use a short name, e.g. the license identifier from SPDX License List where
+        possible (https://spdx.org/licenses/).'
+      example: Apache License 2.0
+      flat_name: package.license
+      ignore_above: 1024
+      level: extended
+      name: license
+      normalize: []
+      short: Package license
+      type: keyword
+    package.name:
+      dashed_name: package-name
+      description: Package name
+      example: go
+      flat_name: package.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Package name
+      type: keyword
+    package.path:
+      dashed_name: package-path
+      description: Path where the package is installed.
+      example: /usr/local/Cellar/go/1.12.9/
+      flat_name: package.path
+      ignore_above: 1024
+      level: extended
+      name: path
+      normalize: []
+      short: Path where the package is installed.
+      type: keyword
+    package.reference:
+      dashed_name: package-reference
+      description: Home page or reference URL of the software in this package, if
+        available.
+      example: https://golang.org
+      flat_name: package.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: Package home page or reference URL
+      type: keyword
+    package.size:
+      dashed_name: package-size
+      description: Package size in bytes.
+      example: 62231
+      flat_name: package.size
+      format: string
+      level: extended
+      name: size
+      normalize: []
+      short: Package size in bytes.
+      type: long
+    package.type:
+      dashed_name: package-type
+      description: 'Type of package.
+
+        This should contain the package file type, rather than the package manager
+        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
+      example: rpm
+      flat_name: package.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      short: Package type
+      type: keyword
+    package.version:
+      dashed_name: package-version
+      description: Package version
+      example: 1.12.9
+      flat_name: package.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: Package version
+      type: keyword
+  group: 2
+  name: package
+  prefix: package.
+  short: These fields contain information about an installed software package.
+  title: Package
+  type: group
+pe:
+  description: These fields contain Windows Portable Executable (PE) metadata.
+  fields:
+    pe.architecture:
+      dashed_name: pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      short: CPU architecture target for the file.
+      type: keyword
+    pe.company:
+      dashed_name: pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    pe.description:
+      dashed_name: pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    pe.file_version:
+      dashed_name: pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      short: Process name.
+      type: keyword
+    pe.imphash:
+      dashed_name: pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      short: A hash of the imports in a PE file.
+      type: keyword
+    pe.original_file_name:
+      dashed_name: pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: pe.original_file_name
+      level: extended
+      name: original_file_name
+      normalize: []
+      short: Internal name of the file, provided at compile-time.
+      type: wildcard
+    pe.product:
+      dashed_name: pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+  group: 2
+  name: pe
+  prefix: pe.
+  reusable:
+    expected:
+    - as: pe
+      at: file
+      full: file.pe
+    - as: pe
+      at: dll
+      full: dll.pe
+    - as: pe
+      at: process
+      full: process.pe
+    top_level: false
+  short: These fields contain Windows Portable Executable (PE) metadata.
+  title: PE Header
+  type: group
+process:
+  description: 'These fields contain information about a process.
+
+    These fields can help you correlate metrics information with a process id/name
+    from a log message.  The `process.pid` often stays in the metric itself and is
+    copied to the global field for correlation.'
+  fields:
+    process.args:
+      dashed_name: process-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      short: Array of process arguments.
+      type: keyword
+    process.args_count:
+      dashed_name: process-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      short: Length of the process.args array.
+      type: long
+    process.code_signature.exists:
+      dashed_name: process-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.code_signature.status:
+      dashed_name: process-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.code_signature.subject_name:
+      dashed_name: process-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.code_signature.trusted:
+      dashed_name: process-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.code_signature.valid:
+      dashed_name: process-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.command_line:
+      dashed_name: process-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.command_line.text
+        name: text
+        norms: false
+        type: text
+      name: command_line
+      normalize: []
+      short: Full command line that started the process.
+      type: wildcard
+    process.entity_id:
+      dashed_name: process-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      short: Unique identifier for the process.
+      type: keyword
+    process.executable:
+      dashed_name: process-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.executable
+      level: extended
+      multi_fields:
+      - flat_name: process.executable.text
+        name: text
+        norms: false
+        type: text
+      name: executable
+      normalize: []
+      short: Absolute path to the process executable.
+      type: wildcard
+    process.exit_code:
+      dashed_name: process-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      short: The exit code of the process.
+      type: long
+    process.hash.md5:
+      dashed_name: process-hash-md5
+      description: MD5 hash.
+      flat_name: process.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.hash.sha1:
+      dashed_name: process-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.hash.sha256:
+      dashed_name: process-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.hash.sha512:
+      dashed_name: process-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.name:
+      dashed_name: process-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.name
+      level: extended
+      multi_fields:
+      - flat_name: process.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      short: Process name.
+      type: wildcard
+    process.parent.args:
+      dashed_name: process-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.parent.args_count:
+      dashed_name: process-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.parent.code_signature.exists:
+      dashed_name: process-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.code_signature.status:
+      dashed_name: process-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.parent.code_signature.subject_name:
+      dashed_name: process-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.code_signature.trusted:
+      dashed_name: process-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.parent.code_signature.valid:
+      dashed_name: process-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.parent.command_line:
+      dashed_name: process-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.command_line.text
+        name: text
+        norms: false
+        type: text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.parent.entity_id:
+      dashed_name: process-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.executable:
+      dashed_name: process-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.parent.executable
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.executable.text
+        name: text
+        norms: false
+        type: text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: wildcard
+    process.parent.exit_code:
+      dashed_name: process-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.parent.hash.md5:
+      dashed_name: process-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.parent.hash.sha1:
+      dashed_name: process-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.parent.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.parent.hash.sha256:
+      dashed_name: process-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.parent.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.parent.hash.sha512:
+      dashed_name: process-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.parent.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.parent.name:
+      dashed_name: process-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.parent.name
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: wildcard
+    process.parent.pe.architecture:
+      dashed_name: process-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.parent.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.parent.pe.company:
+      dashed_name: process-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.parent.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.description:
+      dashed_name: process-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.parent.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.file_version:
+      dashed_name: process-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.parent.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.parent.pe.imphash:
+      dashed_name: process-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.parent.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.pe.original_file_name:
+      dashed_name: process-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.parent.pe.original_file_name
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: wildcard
+    process.parent.pe.product:
+      dashed_name: process-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: process.parent.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pgid:
+      dashed_name: process-parent-pgid
+      description: Identifier of the group of processes the process belongs to.
+      flat_name: process.parent.pgid
+      format: string
+      level: extended
+      name: pgid
+      normalize: []
+      original_fieldset: process
+      short: Identifier of the group of processes the process belongs to.
+      type: long
+    process.parent.pid:
+      dashed_name: process-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.ppid:
+      dashed_name: process-parent-ppid
+      description: Parent process' pid.
+      example: 4241
+      flat_name: process.parent.ppid
+      format: string
+      level: extended
+      name: ppid
+      normalize: []
+      original_fieldset: process
+      short: Parent process' pid.
+      type: long
+    process.parent.start:
+      dashed_name: process-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.thread.id:
+      dashed_name: process-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.parent.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.parent.thread.name:
+      dashed_name: process-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.parent.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.parent.title:
+      dashed_name: process-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.parent.title
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.title.text
+        name: text
+        norms: false
+        type: text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: wildcard
+    process.parent.uptime:
+      dashed_name: process-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.parent.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.parent.working_directory:
+      dashed_name: process-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.parent.working_directory
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.working_directory.text
+        name: text
+        norms: false
+        type: text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: wildcard
+    process.pe.architecture:
+      dashed_name: process-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.pe.company:
+      dashed_name: process-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.pe.description:
+      dashed_name: process-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.pe.file_version:
+      dashed_name: process-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.pe.imphash:
+      dashed_name: process-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.pe.original_file_name:
+      dashed_name: process-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.pe.original_file_name
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: wildcard
+    process.pe.product:
+      dashed_name: process-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: process.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.pgid:
+      dashed_name: process-pgid
+      description: Identifier of the group of processes the process belongs to.
+      flat_name: process.pgid
+      format: string
+      level: extended
+      name: pgid
+      normalize: []
+      short: Identifier of the group of processes the process belongs to.
+      type: long
+    process.pid:
+      dashed_name: process-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      short: Process id.
+      type: long
+    process.ppid:
+      dashed_name: process-ppid
+      description: Parent process' pid.
+      example: 4241
+      flat_name: process.ppid
+      format: string
+      level: extended
+      name: ppid
+      normalize: []
+      short: Parent process' pid.
+      type: long
+    process.start:
+      dashed_name: process-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.start
+      level: extended
+      name: start
+      normalize: []
+      short: The time the process started.
+      type: date
+    process.thread.id:
+      dashed_name: process-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      short: Thread ID.
+      type: long
+    process.thread.name:
+      dashed_name: process-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      short: Thread name.
+      type: keyword
+    process.title:
+      dashed_name: process-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.title
+      level: extended
+      multi_fields:
+      - flat_name: process.title.text
+        name: text
+        norms: false
+        type: text
+      name: title
+      normalize: []
+      short: Process title.
+      type: wildcard
+    process.uptime:
+      dashed_name: process-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      short: Seconds the process has been up.
+      type: long
+    process.working_directory:
+      dashed_name: process-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.working_directory
+      level: extended
+      multi_fields:
+      - flat_name: process.working_directory.text
+        name: text
+        norms: false
+        type: text
+      name: working_directory
+      normalize: []
+      short: The working directory of the process.
+      type: wildcard
+  group: 2
+  name: process
+  nestings:
+  - process.code_signature
+  - process.hash
+  - process.parent
+  - process.pe
+  prefix: process.
+  reusable:
+    expected:
+    - as: parent
+      at: process
+      full: process.parent
+    top_level: true
+  reused_here:
+  - full: process.code_signature
+    schema_name: code_signature
+    short: These fields contain information about binary code signatures.
+  - full: process.hash
+    schema_name: hash
+    short: Hashes, usually file hashes.
+  - full: process.pe
+    schema_name: pe
+    short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: process.parent
+    schema_name: process
+    short: These fields contain information about a process.
+  short: These fields contain information about a process.
+  title: Process
+  type: group
+registry:
+  description: Fields related to Windows Registry operations.
+  fields:
+    registry.data.bytes:
+      dashed_name: registry-data-bytes
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      flat_name: registry.data.bytes
+      ignore_above: 1024
+      level: extended
+      name: data.bytes
+      normalize: []
+      short: Original bytes written with base64 encoding.
+      type: keyword
+    registry.data.strings:
+      dashed_name: registry-data-strings
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      flat_name: registry.data.strings
+      level: core
+      name: data.strings
+      normalize:
+      - array
+      short: List of strings representing what was written to the registry.
+      type: wildcard
+    registry.data.type:
+      dashed_name: registry-data-type
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      flat_name: registry.data.type
+      ignore_above: 1024
+      level: core
+      name: data.type
+      normalize: []
+      short: Standard registry type for encoding contents
+      type: keyword
+    registry.hive:
+      dashed_name: registry-hive
+      description: Abbreviated name for the hive.
+      example: HKLM
+      flat_name: registry.hive
+      ignore_above: 1024
+      level: core
+      name: hive
+      normalize: []
+      short: Abbreviated name for the hive.
+      type: keyword
+    registry.key:
+      dashed_name: registry-key
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      flat_name: registry.key
+      level: core
+      name: key
+      normalize: []
+      short: Hive-relative path of keys.
+      type: wildcard
+    registry.path:
+      dashed_name: registry-path
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
+      flat_name: registry.path
+      level: core
+      name: path
+      normalize: []
+      short: Full path, including hive, key and value
+      type: wildcard
+    registry.value:
+      dashed_name: registry-value
+      description: Name of the value written.
+      example: Debugger
+      flat_name: registry.value
+      ignore_above: 1024
+      level: core
+      name: value
+      normalize: []
+      short: Name of the value written.
+      type: keyword
+  group: 2
+  name: registry
+  prefix: registry.
+  short: Fields related to Windows Registry operations.
+  title: Registry
+  type: group
+related:
+  description: 'This field set is meant to facilitate pivoting around a piece of data.
+
+    Some pieces of information can be seen in many places in an ECS event. To facilitate
+    searching for them, store an array of all seen values to their corresponding field
+    in `related.`.
+
+    A concrete example is IP addresses, which can be under host, observer, source,
+    destination, client, server, and network.forwarded_ip. If you append all IPs to
+    `related.ip`, you can then search for a given IP trivially, no matter where it
+    appeared, by querying `related.ip:192.0.2.15`.'
+  fields:
+    related.hash:
+      dashed_name: related-hash
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
+      flat_name: related.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize:
+      - array
+      short: All the hashes seen on your event.
+      type: keyword
+    related.hosts:
+      dashed_name: related-hosts
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      flat_name: related.hosts
+      ignore_above: 1024
+      level: extended
+      name: hosts
+      normalize:
+      - array
+      short: All the host identifiers seen on your event.
+      type: keyword
+    related.ip:
+      dashed_name: related-ip
+      description: All of the IPs seen on your event.
+      flat_name: related.ip
+      level: extended
+      name: ip
+      normalize:
+      - array
+      short: All of the IPs seen on your event.
+      type: ip
+    related.user:
+      dashed_name: related-user
+      description: All the user names seen on your event.
+      flat_name: related.user
+      ignore_above: 1024
+      level: extended
+      name: user
+      normalize:
+      - array
+      short: All the user names seen on your event.
+      type: keyword
+  group: 2
+  name: related
+  prefix: related.
+  short: Fields meant to facilitate pivoting around a piece of data.
+  title: Related
+  type: group
+rule:
+  description: 'Rule fields are used to capture the specifics of any observer or agent
+    rules that generate alerts or other notable events.
+
+    Examples of data sources that would populate the rule fields include: network
+    admission control platforms, network or host IDS/IPS, network firewalls, web application
+    firewalls, url filters, endpoint detection and response (EDR) systems, etc.'
+  fields:
+    rule.author:
+      dashed_name: rule-author
+      description: Name, organization, or pseudonym of the author or authors who created
+        the rule used to generate this event.
+      example: '["Star-Lord"]'
+      flat_name: rule.author
+      ignore_above: 1024
+      level: extended
+      name: author
+      normalize:
+      - array
+      short: Rule author
+      type: keyword
+    rule.category:
+      dashed_name: rule-category
+      description: A categorization value keyword used by the entity using the rule
+        for detection of this event.
+      example: Attempted Information Leak
+      flat_name: rule.category
+      ignore_above: 1024
+      level: extended
+      name: category
+      normalize: []
+      short: Rule category
+      type: keyword
+    rule.description:
+      dashed_name: rule-description
+      description: The description of the rule generating the event.
+      example: Block requests to public DNS over HTTPS / TLS protocols
+      flat_name: rule.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      short: Rule description
+      type: keyword
+    rule.id:
+      dashed_name: rule-id
+      description: A rule ID that is unique within the scope of an agent, observer,
+        or other entity using the rule for detection of this event.
+      example: 101
+      flat_name: rule.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: Rule ID
+      type: keyword
+    rule.license:
+      dashed_name: rule-license
+      description: Name of the license under which the rule used to generate this
+        event is made available.
+      example: Apache 2.0
+      flat_name: rule.license
+      ignore_above: 1024
+      level: extended
+      name: license
+      normalize: []
+      short: Rule license
+      type: keyword
+    rule.name:
+      dashed_name: rule-name
+      description: The name of the rule or signature generating the event.
+      example: BLOCK_DNS_over_TLS
+      flat_name: rule.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Rule name
+      type: keyword
+    rule.reference:
+      dashed_name: rule-reference
+      description: 'Reference URL to additional information about the rule used to
+        generate this event.
+
+        The URL can point to the vendor''s documentation about the rule. If that''s
+        not available, it can also be a link to a more general page describing this
+        type of alert.'
+      example: https://en.wikipedia.org/wiki/DNS_over_TLS
+      flat_name: rule.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: Rule reference URL
+      type: keyword
+    rule.ruleset:
+      dashed_name: rule-ruleset
+      description: Name of the ruleset, policy, group, or parent category in which
+        the rule used to generate this event is a member.
+      example: Standard_Protocol_Filters
+      flat_name: rule.ruleset
+      ignore_above: 1024
+      level: extended
+      name: ruleset
+      normalize: []
+      short: Rule ruleset
+      type: keyword
+    rule.uuid:
+      dashed_name: rule-uuid
+      description: A rule ID that is unique within the scope of a set or group of
+        agents, observers, or other entities using the rule for detection of this
+        event.
+      example: 1100110011
+      flat_name: rule.uuid
+      ignore_above: 1024
+      level: extended
+      name: uuid
+      normalize: []
+      short: Rule UUID
+      type: keyword
+    rule.version:
+      dashed_name: rule-version
+      description: The version / revision of the rule being used for analysis.
+      example: 1.1
+      flat_name: rule.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: Rule version
+      type: keyword
+  group: 2
+  name: rule
+  prefix: rule.
+  short: Fields to capture details about rules used to generate alerts or other notable
+    events.
+  title: Rule
+  type: group
+server:
+  description: 'A Server is defined as the responder in a network connection for events
+    regarding sessions, connections, or bidirectional flow records.
+
+    For TCP events, the server is the receiver of the initial SYN packet(s) of the
+    TCP connection. For other protocols, the server is generally the responder in
+    the network transaction. Some systems actually use the term "responder" to refer
+    the server in TCP connections. The server fields describe details about the system
+    acting as the server in the network event. Server fields are usually populated
+    in conjunction with client fields. Server fields are generally not populated for
+    packet-level events.
+
+    Client / server representations can add semantic context to an exchange, which
+    is helpful to visualize the data in certain situations. If your context falls
+    in that category, you should still ensure that source and destination are filled
+    appropriately.'
+  fields:
+    server.address:
+      dashed_name: server-address
+      description: 'Some event server addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: server.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      short: Server network address.
+      type: keyword
+    server.as.number:
+      dashed_name: server-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: server.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    server.as.organization.name:
+      dashed_name: server-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: server.as.organization.name
+      level: extended
+      multi_fields:
+      - flat_name: server.as.organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: wildcard
+    server.bytes:
+      dashed_name: server-bytes
+      description: Bytes sent from the server to the client.
+      example: 184
+      flat_name: server.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      short: Bytes sent from the server to the client.
+      type: long
+    server.domain:
+      dashed_name: server-domain
+      description: Server domain.
+      flat_name: server.domain
+      level: core
+      name: domain
+      normalize: []
+      short: Server domain.
+      type: wildcard
+    server.geo.city_name:
+      dashed_name: server-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: server.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    server.geo.continent_name:
+      dashed_name: server-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: server.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    server.geo.country_iso_code:
+      dashed_name: server-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: server.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    server.geo.country_name:
+      dashed_name: server-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: server.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    server.geo.location:
+      dashed_name: server-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: server.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    server.geo.name:
+      dashed_name: server-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: server.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    server.geo.region_iso_code:
+      dashed_name: server-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: server.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    server.geo.region_name:
+      dashed_name: server-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: server.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    server.ip:
+      dashed_name: server-ip
+      description: IP address of the server (IPv4 or IPv6).
+      flat_name: server.ip
+      level: core
+      name: ip
+      normalize: []
+      short: IP address of the server.
+      type: ip
+    server.mac:
+      dashed_name: server-mac
+      description: MAC address of the server.
+      flat_name: server.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      short: MAC address of the server.
+      type: keyword
+    server.nat.ip:
+      dashed_name: server-nat-ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: server.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      short: Server NAT ip
+      type: ip
+    server.nat.port:
+      dashed_name: server-nat-port
+      description: 'Translated port of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: server.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      short: Server NAT port
+      type: long
+    server.packets:
+      dashed_name: server-packets
+      description: Packets sent from the server to the client.
+      example: 12
+      flat_name: server.packets
+      level: core
+      name: packets
+      normalize: []
+      short: Packets sent from the server to the client.
+      type: long
+    server.port:
+      dashed_name: server-port
+      description: Port of the server.
+      flat_name: server.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      short: Port of the server.
+      type: long
+    server.registered_domain:
+      dashed_name: server-registered-domain
+      description: 'The highest registered server domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: server.registered_domain
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered server domain, stripped of the subdomain.
+      type: wildcard
+    server.subdomain:
+      dashed_name: server-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: server.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    server.top_level_domain:
+      dashed_name: server-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: server.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    server.user.domain:
+      dashed_name: server-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: server.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    server.user.email:
+      dashed_name: server-user-email
+      description: User email address.
+      flat_name: server.user.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    server.user.full_name:
+      dashed_name: server-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: server.user.full_name
+      level: extended
+      multi_fields:
+      - flat_name: server.user.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    server.user.group.domain:
+      dashed_name: server-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: server.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    server.user.group.id:
+      dashed_name: server-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: server.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    server.user.group.name:
+      dashed_name: server-user-group-name
+      description: Name of the group.
+      flat_name: server.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    server.user.hash:
+      dashed_name: server-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: server.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    server.user.id:
+      dashed_name: server-user-id
+      description: Unique identifier of the user.
+      flat_name: server.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    server.user.name:
+      dashed_name: server-user-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: server.user.name
+      level: core
+      multi_fields:
+      - flat_name: server.user.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    server.user.roles:
+      dashed_name: server-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: server.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: server
+  nestings:
+  - server.as
+  - server.geo
+  - server.user
+  prefix: server.
+  reused_here:
+  - full: server.as
+    schema_name: as
+    short: Fields describing an Autonomous System (Internet routing prefix).
+  - full: server.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: server.user
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields about the server side of a network connection, used with client.
+  title: Server
+  type: group
+service:
+  description: 'The service fields describe the service for or from which the data
+    was collected.
+
+    These fields help you find and correlate logs for a specific service and version.'
+  fields:
+    service.ephemeral_id:
+      dashed_name: service-ephemeral-id
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      flat_name: service.ephemeral_id
+      ignore_above: 1024
+      level: extended
+      name: ephemeral_id
+      normalize: []
+      short: Ephemeral identifier of this service.
+      type: keyword
+    service.id:
+      dashed_name: service-id
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      flat_name: service.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier of the running service.
+      type: keyword
+    service.name:
+      dashed_name: service-name
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      flat_name: service.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the service.
+      type: keyword
+    service.node.name:
+      dashed_name: service-node-name
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      flat_name: service.node.name
+      ignore_above: 1024
+      level: extended
+      name: node.name
+      normalize: []
+      short: Name of the service node.
+      type: keyword
+    service.state:
+      dashed_name: service-state
+      description: Current state of the service.
+      flat_name: service.state
+      ignore_above: 1024
+      level: core
+      name: state
+      normalize: []
+      short: Current state of the service.
+      type: keyword
+    service.type:
+      dashed_name: service-type
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      flat_name: service.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: The type of the service.
+      type: keyword
+    service.version:
+      dashed_name: service-version
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      flat_name: service.version
+      ignore_above: 1024
+      level: core
+      name: version
+      normalize: []
+      short: Version of the service.
+      type: keyword
+  group: 2
+  name: service
+  prefix: service.
+  short: Fields describing the service for or from which the data was collected.
+  title: Service
+  type: group
+source:
+  description: 'Source fields capture details about the sender of a network exchange/packet.
+    These fields are populated from a network event, packet, or other event containing
+    details of a network transaction.
+
+    Source fields are usually populated in conjunction with destination fields. The
+    source and destination fields are considered the baseline and should always be
+    filled if an event contains source and destination details from a network transaction.
+    If the event also contains identification of the client and server roles, then
+    the client and server fields should also be populated.'
+  fields:
+    source.address:
+      dashed_name: source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      short: Source network address.
+      type: keyword
+    source.as.number:
+      dashed_name: source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    source.as.organization.name:
+      dashed_name: source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: source.as.organization.name
+      level: extended
+      multi_fields:
+      - flat_name: source.as.organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: wildcard
+    source.bytes:
+      dashed_name: source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      short: Bytes sent from the source to the destination.
+      type: long
+    source.domain:
+      dashed_name: source-domain
+      description: Source domain.
+      flat_name: source.domain
+      level: core
+      name: domain
+      normalize: []
+      short: Source domain.
+      type: wildcard
+    source.geo.city_name:
+      dashed_name: source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    source.geo.continent_name:
+      dashed_name: source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    source.geo.country_iso_code:
+      dashed_name: source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    source.geo.country_name:
+      dashed_name: source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    source.geo.location:
+      dashed_name: source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    source.geo.name:
+      dashed_name: source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: source.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    source.geo.region_iso_code:
+      dashed_name: source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    source.geo.region_name:
+      dashed_name: source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    source.ip:
+      dashed_name: source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: source.ip
+      level: core
+      name: ip
+      normalize: []
+      short: IP address of the source.
+      type: ip
+    source.mac:
+      dashed_name: source-mac
+      description: MAC address of the source.
+      flat_name: source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      short: MAC address of the source.
+      type: keyword
+    source.nat.ip:
+      dashed_name: source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      short: Source NAT ip
+      type: ip
+    source.nat.port:
+      dashed_name: source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      short: Source NAT port
+      type: long
+    source.packets:
+      dashed_name: source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: source.packets
+      level: core
+      name: packets
+      normalize: []
+      short: Packets sent from the source to the destination.
+      type: long
+    source.port:
+      dashed_name: source-port
+      description: Port of the source.
+      flat_name: source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      short: Port of the source.
+      type: long
+    source.registered_domain:
+      dashed_name: source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: source.registered_domain
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered source domain, stripped of the subdomain.
+      type: wildcard
+    source.subdomain:
+      dashed_name: source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    source.top_level_domain:
+      dashed_name: source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    source.user.domain:
+      dashed_name: source-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: source.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    source.user.email:
+      dashed_name: source-user-email
+      description: User email address.
+      flat_name: source.user.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    source.user.full_name:
+      dashed_name: source-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: source.user.full_name
+      level: extended
+      multi_fields:
+      - flat_name: source.user.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    source.user.group.domain:
+      dashed_name: source-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: source.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    source.user.group.id:
+      dashed_name: source-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: source.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    source.user.group.name:
+      dashed_name: source-user-group-name
+      description: Name of the group.
+      flat_name: source.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    source.user.hash:
+      dashed_name: source-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: source.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    source.user.id:
+      dashed_name: source-user-id
+      description: Unique identifier of the user.
+      flat_name: source.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    source.user.name:
+      dashed_name: source-user-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: source.user.name
+      level: core
+      multi_fields:
+      - flat_name: source.user.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    source.user.roles:
+      dashed_name: source-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: source.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: source
+  nestings:
+  - source.as
+  - source.geo
+  - source.user
+  prefix: source.
+  reused_here:
+  - full: source.as
+    schema_name: as
+    short: Fields describing an Autonomous System (Internet routing prefix).
+  - full: source.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: source.user
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields about the source side of a network connection, used with destination.
+  title: Source
+  type: group
+threat:
+  description: "Fields to classify events and alerts according to a threat taxonomy\
+    \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
+    \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
+    \ The threat.tactic.* are meant to capture the high level category of the threat\
+    \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
+    \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
+    \ \"endpoint denial of service\")."
+  fields:
+    threat.framework:
+      dashed_name: threat-framework
+      description: Name of the threat framework used to further categorize and classify
+        the tactic and technique of the reported threat. Framework classification
+        can be provided by detecting systems, evaluated at ingest time, or retrospectively
+        tagged to events.
+      example: MITRE ATT&CK
+      flat_name: threat.framework
+      ignore_above: 1024
+      level: extended
+      name: framework
+      normalize: []
+      short: Threat classification framework.
+      type: keyword
+    threat.tactic.id:
+      dashed_name: threat-tactic-id
+      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+      example: TA0002
+      flat_name: threat.tactic.id
+      ignore_above: 1024
+      level: extended
+      name: tactic.id
+      normalize:
+      - array
+      short: Threat tactic id.
+      type: keyword
+    threat.tactic.name:
+      dashed_name: threat-tactic-name
+      description: "Name of the type of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+      example: Execution
+      flat_name: threat.tactic.name
+      ignore_above: 1024
+      level: extended
+      name: tactic.name
+      normalize:
+      - array
+      short: Threat tactic.
+      type: keyword
+    threat.tactic.reference:
+      dashed_name: threat-tactic-reference
+      description: "The reference url of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
+        \ )"
+      example: https://attack.mitre.org/tactics/TA0002/
+      flat_name: threat.tactic.reference
+      ignore_above: 1024
+      level: extended
+      name: tactic.reference
+      normalize:
+      - array
+      short: Threat tactic URL reference.
+      type: keyword
+    threat.technique.id:
+      dashed_name: threat-technique-id
+      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: T1059
+      flat_name: threat.technique.id
+      ignore_above: 1024
+      level: extended
+      name: technique.id
+      normalize:
+      - array
+      short: Threat technique id.
+      type: keyword
+    threat.technique.name:
+      dashed_name: threat-technique-name
+      description: "The name of technique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: Command and Scripting Interpreter
+      flat_name: threat.technique.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.technique.name.text
+        name: text
+        norms: false
+        type: text
+      name: technique.name
+      normalize:
+      - array
+      short: Threat technique name.
+      type: keyword
+    threat.technique.reference:
+      dashed_name: threat-technique-reference
+      description: "The reference url of technique used by this threat. You can use\
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: https://attack.mitre.org/techniques/T1059/
+      flat_name: threat.technique.reference
+      ignore_above: 1024
+      level: extended
+      name: technique.reference
+      normalize:
+      - array
+      short: Threat technique URL reference.
+      type: keyword
+    threat.technique.subtechnique.id:
+      dashed_name: threat-technique-subtechnique-id
+      description: "The full id of subtechnique used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: T1059.001
+      flat_name: threat.technique.subtechnique.id
+      ignore_above: 1024
+      level: extended
+      name: technique.subtechnique.id
+      normalize:
+      - array
+      short: Threat subtechnique id.
+      type: keyword
+    threat.technique.subtechnique.name:
+      dashed_name: threat-technique-subtechnique-name
+      description: "The name of subtechnique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: PowerShell
+      flat_name: threat.technique.subtechnique.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.technique.subtechnique.name.text
+        name: text
+        norms: false
+        type: text
+      name: technique.subtechnique.name
+      normalize:
+      - array
+      short: Threat subtechnique name.
+      type: keyword
+    threat.technique.subtechnique.reference:
+      dashed_name: threat-technique-subtechnique-reference
+      description: "The reference url of subtechnique used by this threat. You can\
+        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: https://attack.mitre.org/techniques/T1059/001/
+      flat_name: threat.technique.subtechnique.reference
+      ignore_above: 1024
+      level: extended
+      name: technique.subtechnique.reference
+      normalize:
+      - array
+      short: Threat subtechnique URL reference.
+      type: keyword
+  group: 2
+  name: threat
+  prefix: threat.
+  short: Fields to classify events and alerts according to a threat taxonomy.
+  title: Threat
+  type: group
+tls:
+  description: Fields related to a TLS connection. These fields focus on the TLS protocol
+    itself and intentionally avoids in-depth analysis of the related x.509 certificate
+    files.
+  fields:
+    tls.cipher:
+      dashed_name: tls-cipher
+      description: String indicating the cipher used during the current connection.
+      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+      flat_name: tls.cipher
+      ignore_above: 1024
+      level: extended
+      name: cipher
+      normalize: []
+      short: String indicating the cipher used during the current connection.
+      type: keyword
+    tls.client.certificate:
+      dashed_name: tls-client-certificate
+      description: PEM-encoded stand-alone certificate offered by the client. This
+        is usually mutually-exclusive of `client.certificate_chain` since this value
+        also exists in that list.
+      example: MII...
+      flat_name: tls.client.certificate
+      ignore_above: 1024
+      level: extended
+      name: client.certificate
+      normalize: []
+      short: PEM-encoded stand-alone certificate offered by the client.
+      type: keyword
+    tls.client.certificate_chain:
+      dashed_name: tls-client-certificate-chain
+      description: Array of PEM-encoded certificates that make up the certificate
+        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
+        since that value should be the first certificate in the chain.
+      example: '["MII...", "MII..."]'
+      flat_name: tls.client.certificate_chain
+      ignore_above: 1024
+      level: extended
+      name: client.certificate_chain
+      normalize:
+      - array
+      short: Array of PEM-encoded certificates that make up the certificate chain
+        offered by the client.
+      type: keyword
+    tls.client.hash.md5:
+      dashed_name: tls-client-hash-md5
+      description: Certificate fingerprint using the MD5 digest of DER-encoded version
+        of certificate offered by the client. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      flat_name: tls.client.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: client.hash.md5
+      normalize: []
+      short: Certificate fingerprint using the MD5 digest of DER-encoded version of
+        certificate offered by the client.
+      type: keyword
+    tls.client.hash.sha1:
+      dashed_name: tls-client-hash-sha1
+      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the client. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      flat_name: tls.client.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: client.hash.sha1
+      normalize: []
+      short: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the client.
+      type: keyword
+    tls.client.hash.sha256:
+      dashed_name: tls-client-hash-sha256
+      description: Certificate fingerprint using the SHA256 digest of DER-encoded
+        version of certificate offered by the client. For consistency with other hash
+        values, this value should be formatted as an uppercase hash.
+      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+      flat_name: tls.client.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: client.hash.sha256
+      normalize: []
+      short: Certificate fingerprint using the SHA256 digest of DER-encoded version
+        of certificate offered by the client.
+      type: keyword
+    tls.client.issuer:
+      dashed_name: tls-client-issuer
+      description: Distinguished name of subject of the issuer of the x.509 certificate
+        presented by the client.
+      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+      flat_name: tls.client.issuer
+      level: extended
+      name: client.issuer
+      normalize: []
+      short: Distinguished name of subject of the issuer of the x.509 certificate
+        presented by the client.
+      type: wildcard
+    tls.client.ja3:
+      dashed_name: tls-client-ja3
+      description: A hash that identifies clients based on how they perform an SSL/TLS
+        handshake.
+      example: d4e5b18d6b55c71272893221c96ba240
+      flat_name: tls.client.ja3
+      ignore_above: 1024
+      level: extended
+      name: client.ja3
+      normalize: []
+      short: A hash that identifies clients based on how they perform an SSL/TLS handshake.
+      type: keyword
+    tls.client.not_after:
+      dashed_name: tls-client-not-after
+      description: Date/Time indicating when client certificate is no longer considered
+        valid.
+      example: '2021-01-01T00:00:00.000Z'
+      flat_name: tls.client.not_after
+      level: extended
+      name: client.not_after
+      normalize: []
+      short: Date/Time indicating when client certificate is no longer considered
+        valid.
+      type: date
+    tls.client.not_before:
+      dashed_name: tls-client-not-before
+      description: Date/Time indicating when client certificate is first considered
+        valid.
+      example: '1970-01-01T00:00:00.000Z'
+      flat_name: tls.client.not_before
+      level: extended
+      name: client.not_before
+      normalize: []
+      short: Date/Time indicating when client certificate is first considered valid.
+      type: date
+    tls.client.server_name:
+      dashed_name: tls-client-server-name
+      description: Also called an SNI, this tells the server which hostname to which
+        the client is attempting to connect to. When this value is available, it should
+        get copied to `destination.domain`.
+      example: www.elastic.co
+      flat_name: tls.client.server_name
+      ignore_above: 1024
+      level: extended
+      name: client.server_name
+      normalize: []
+      short: Hostname the client is trying to connect to. Also called the SNI.
+      type: keyword
+    tls.client.subject:
+      dashed_name: tls-client-subject
+      description: Distinguished name of subject of the x.509 certificate presented
+        by the client.
+      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+      flat_name: tls.client.subject
+      level: extended
+      name: client.subject
+      normalize: []
+      short: Distinguished name of subject of the x.509 certificate presented by the
+        client.
+      type: wildcard
+    tls.client.supported_ciphers:
+      dashed_name: tls-client-supported-ciphers
+      description: Array of ciphers offered by the client during the client hello.
+      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "..."]'
+      flat_name: tls.client.supported_ciphers
+      ignore_above: 1024
+      level: extended
+      name: client.supported_ciphers
+      normalize:
+      - array
+      short: Array of ciphers offered by the client during the client hello.
+      type: keyword
+    tls.client.x509.alternative_names:
+      dashed_name: tls-client-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: tls.client.x509.alternative_names
+      ignore_above: 1024
+      level: extended
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
+      type: keyword
+    tls.client.x509.issuer.common_name:
+      dashed_name: tls-client-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: tls.client.x509.issuer.common_name
+      ignore_above: 1024
+      level: extended
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
+      type: keyword
+    tls.client.x509.issuer.country:
+      dashed_name: tls-client-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: tls.client.x509.issuer.country
+      ignore_above: 1024
+      level: extended
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
+      type: keyword
+    tls.client.x509.issuer.distinguished_name:
+      dashed_name: tls-client-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: tls.client.x509.issuer.distinguished_name
+      level: extended
+      name: issuer.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
+      type: wildcard
+    tls.client.x509.issuer.locality:
+      dashed_name: tls-client-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: tls.client.x509.issuer.locality
+      ignore_above: 1024
+      level: extended
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    tls.client.x509.issuer.organization:
+      dashed_name: tls-client-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: tls.client.x509.issuer.organization
+      ignore_above: 1024
+      level: extended
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
+      type: keyword
+    tls.client.x509.issuer.organizational_unit:
+      dashed_name: tls-client-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: tls.client.x509.issuer.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
+      type: keyword
+    tls.client.x509.issuer.state_or_province:
+      dashed_name: tls-client-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: tls.client.x509.issuer.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    tls.client.x509.not_after:
+      dashed_name: tls-client-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: tls.client.x509.not_after
+      level: extended
+      name: not_after
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    tls.client.x509.not_before:
+      dashed_name: tls-client-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: tls.client.x509.not_before
+      level: extended
+      name: not_before
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
+      type: date
+    tls.client.x509.public_key_algorithm:
+      dashed_name: tls-client-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: tls.client.x509.public_key_algorithm
+      ignore_above: 1024
+      level: extended
+      name: public_key_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
+      type: keyword
+    tls.client.x509.public_key_curve:
+      dashed_name: tls-client-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: tls.client.x509.public_key_curve
+      ignore_above: 1024
+      level: extended
+      name: public_key_curve
+      normalize: []
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
+      type: keyword
+    tls.client.x509.public_key_exponent:
+      dashed_name: tls-client-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: tls.client.x509.public_key_exponent
+      index: false
+      level: extended
+      name: public_key_exponent
+      normalize: []
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    tls.client.x509.public_key_size:
+      dashed_name: tls-client-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: tls.client.x509.public_key_size
+      level: extended
+      name: public_key_size
+      normalize: []
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    tls.client.x509.serial_number:
+      dashed_name: tls-client-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: tls.client.x509.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
+      type: keyword
+    tls.client.x509.signature_algorithm:
+      dashed_name: tls-client-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: tls.client.x509.signature_algorithm
+      ignore_above: 1024
+      level: extended
+      name: signature_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
+      type: keyword
+    tls.client.x509.subject.common_name:
+      dashed_name: tls-client-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: tls.client.x509.subject.common_name
+      ignore_above: 1024
+      level: extended
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
+      type: keyword
+    tls.client.x509.subject.country:
+      dashed_name: tls-client-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: tls.client.x509.subject.country
+      ignore_above: 1024
+      level: extended
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
+      type: keyword
+    tls.client.x509.subject.distinguished_name:
+      dashed_name: tls-client-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: tls.client.x509.subject.distinguished_name
+      level: extended
+      name: subject.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
+      type: wildcard
+    tls.client.x509.subject.locality:
+      dashed_name: tls-client-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: tls.client.x509.subject.locality
+      ignore_above: 1024
+      level: extended
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    tls.client.x509.subject.organization:
+      dashed_name: tls-client-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: tls.client.x509.subject.organization
+      ignore_above: 1024
+      level: extended
+      name: subject.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
+      type: keyword
+    tls.client.x509.subject.organizational_unit:
+      dashed_name: tls-client-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: tls.client.x509.subject.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
+      type: keyword
+    tls.client.x509.subject.state_or_province:
+      dashed_name: tls-client-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: tls.client.x509.subject.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: subject.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    tls.client.x509.version_number:
+      dashed_name: tls-client-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: tls.client.x509.version_number
+      ignore_above: 1024
+      level: extended
+      name: version_number
+      normalize: []
+      original_fieldset: x509
+      short: Version of x509 format.
+      type: keyword
+    tls.curve:
+      dashed_name: tls-curve
+      description: String indicating the curve used for the given cipher, when applicable.
+      example: secp256r1
+      flat_name: tls.curve
+      ignore_above: 1024
+      level: extended
+      name: curve
+      normalize: []
+      short: String indicating the curve used for the given cipher, when applicable.
+      type: keyword
+    tls.established:
+      dashed_name: tls-established
+      description: Boolean flag indicating if the TLS negotiation was successful and
+        transitioned to an encrypted tunnel.
+      flat_name: tls.established
+      level: extended
+      name: established
+      normalize: []
+      short: Boolean flag indicating if the TLS negotiation was successful and transitioned
+        to an encrypted tunnel.
+      type: boolean
+    tls.next_protocol:
+      dashed_name: tls-next-protocol
+      description: String indicating the protocol being tunneled. Per the values in
+        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
+        this string should be lower case.
+      example: http/1.1
+      flat_name: tls.next_protocol
+      ignore_above: 1024
+      level: extended
+      name: next_protocol
+      normalize: []
+      short: String indicating the protocol being tunneled.
+      type: keyword
+    tls.resumed:
+      dashed_name: tls-resumed
+      description: Boolean flag indicating if this TLS connection was resumed from
+        an existing TLS negotiation.
+      flat_name: tls.resumed
+      level: extended
+      name: resumed
+      normalize: []
+      short: Boolean flag indicating if this TLS connection was resumed from an existing
+        TLS negotiation.
+      type: boolean
+    tls.server.certificate:
+      dashed_name: tls-server-certificate
+      description: PEM-encoded stand-alone certificate offered by the server. This
+        is usually mutually-exclusive of `server.certificate_chain` since this value
+        also exists in that list.
+      example: MII...
+      flat_name: tls.server.certificate
+      ignore_above: 1024
+      level: extended
+      name: server.certificate
+      normalize: []
+      short: PEM-encoded stand-alone certificate offered by the server.
+      type: keyword
+    tls.server.certificate_chain:
+      dashed_name: tls-server-certificate-chain
+      description: Array of PEM-encoded certificates that make up the certificate
+        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
+        since that value should be the first certificate in the chain.
+      example: '["MII...", "MII..."]'
+      flat_name: tls.server.certificate_chain
+      ignore_above: 1024
+      level: extended
+      name: server.certificate_chain
+      normalize:
+      - array
+      short: Array of PEM-encoded certificates that make up the certificate chain
+        offered by the server.
+      type: keyword
+    tls.server.hash.md5:
+      dashed_name: tls-server-hash-md5
+      description: Certificate fingerprint using the MD5 digest of DER-encoded version
+        of certificate offered by the server. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      flat_name: tls.server.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: server.hash.md5
+      normalize: []
+      short: Certificate fingerprint using the MD5 digest of DER-encoded version of
+        certificate offered by the server.
+      type: keyword
+    tls.server.hash.sha1:
+      dashed_name: tls-server-hash-sha1
+      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the server. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      flat_name: tls.server.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: server.hash.sha1
+      normalize: []
+      short: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the server.
+      type: keyword
+    tls.server.hash.sha256:
+      dashed_name: tls-server-hash-sha256
+      description: Certificate fingerprint using the SHA256 digest of DER-encoded
+        version of certificate offered by the server. For consistency with other hash
+        values, this value should be formatted as an uppercase hash.
+      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+      flat_name: tls.server.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: server.hash.sha256
+      normalize: []
+      short: Certificate fingerprint using the SHA256 digest of DER-encoded version
+        of certificate offered by the server.
+      type: keyword
+    tls.server.issuer:
+      dashed_name: tls-server-issuer
+      description: Subject of the issuer of the x.509 certificate presented by the
+        server.
+      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+      flat_name: tls.server.issuer
+      level: extended
+      name: server.issuer
+      normalize: []
+      short: Subject of the issuer of the x.509 certificate presented by the server.
+      type: wildcard
+    tls.server.ja3s:
+      dashed_name: tls-server-ja3s
+      description: A hash that identifies servers based on how they perform an SSL/TLS
+        handshake.
+      example: 394441ab65754e2207b1e1b457b3641d
+      flat_name: tls.server.ja3s
+      ignore_above: 1024
+      level: extended
+      name: server.ja3s
+      normalize: []
+      short: A hash that identifies servers based on how they perform an SSL/TLS handshake.
+      type: keyword
+    tls.server.not_after:
+      dashed_name: tls-server-not-after
+      description: Timestamp indicating when server certificate is no longer considered
+        valid.
+      example: '2021-01-01T00:00:00.000Z'
+      flat_name: tls.server.not_after
+      level: extended
+      name: server.not_after
+      normalize: []
+      short: Timestamp indicating when server certificate is no longer considered
+        valid.
+      type: date
+    tls.server.not_before:
+      dashed_name: tls-server-not-before
+      description: Timestamp indicating when server certificate is first considered
+        valid.
+      example: '1970-01-01T00:00:00.000Z'
+      flat_name: tls.server.not_before
+      level: extended
+      name: server.not_before
+      normalize: []
+      short: Timestamp indicating when server certificate is first considered valid.
+      type: date
+    tls.server.subject:
+      dashed_name: tls-server-subject
+      description: Subject of the x.509 certificate presented by the server.
+      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+      flat_name: tls.server.subject
+      level: extended
+      name: server.subject
+      normalize: []
+      short: Subject of the x.509 certificate presented by the server.
+      type: wildcard
+    tls.server.x509.alternative_names:
+      dashed_name: tls-server-x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: tls.server.x509.alternative_names
+      ignore_above: 1024
+      level: extended
+      name: alternative_names
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of subject alternative names (SAN).
+      type: keyword
+    tls.server.x509.issuer.common_name:
+      dashed_name: tls-server-x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: tls.server.x509.issuer.common_name
+      ignore_above: 1024
+      level: extended
+      name: issuer.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common name (CN) of issuing certificate authority.
+      type: keyword
+    tls.server.x509.issuer.country:
+      dashed_name: tls-server-x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: tls.server.x509.issuer.country
+      ignore_above: 1024
+      level: extended
+      name: issuer.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) codes
+      type: keyword
+    tls.server.x509.issuer.distinguished_name:
+      dashed_name: tls-server-x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: tls.server.x509.issuer.distinguished_name
+      level: extended
+      name: issuer.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of issuing certificate authority.
+      type: wildcard
+    tls.server.x509.issuer.locality:
+      dashed_name: tls-server-x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: tls.server.x509.issuer.locality
+      ignore_above: 1024
+      level: extended
+      name: issuer.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    tls.server.x509.issuer.organization:
+      dashed_name: tls-server-x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: tls.server.x509.issuer.organization
+      ignore_above: 1024
+      level: extended
+      name: issuer.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of issuing certificate authority.
+      type: keyword
+    tls.server.x509.issuer.organizational_unit:
+      dashed_name: tls-server-x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: tls.server.x509.issuer.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of issuing certificate authority.
+      type: keyword
+    tls.server.x509.issuer.state_or_province:
+      dashed_name: tls-server-x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: tls.server.x509.issuer.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: issuer.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    tls.server.x509.not_after:
+      dashed_name: tls-server-x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: tls.server.x509.not_after
+      level: extended
+      name: not_after
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    tls.server.x509.not_before:
+      dashed_name: tls-server-x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: tls.server.x509.not_before
+      level: extended
+      name: not_before
+      normalize: []
+      original_fieldset: x509
+      short: Time at which the certificate is first considered valid.
+      type: date
+    tls.server.x509.public_key_algorithm:
+      dashed_name: tls-server-x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: tls.server.x509.public_key_algorithm
+      ignore_above: 1024
+      level: extended
+      name: public_key_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Algorithm used to generate the public key.
+      type: keyword
+    tls.server.x509.public_key_curve:
+      dashed_name: tls-server-x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: tls.server.x509.public_key_curve
+      ignore_above: 1024
+      level: extended
+      name: public_key_curve
+      normalize: []
+      original_fieldset: x509
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
+      type: keyword
+    tls.server.x509.public_key_exponent:
+      dashed_name: tls-server-x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: tls.server.x509.public_key_exponent
+      index: false
+      level: extended
+      name: public_key_exponent
+      normalize: []
+      original_fieldset: x509
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    tls.server.x509.public_key_size:
+      dashed_name: tls-server-x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: tls.server.x509.public_key_size
+      level: extended
+      name: public_key_size
+      normalize: []
+      original_fieldset: x509
+      short: The size of the public key space in bits.
+      type: long
+    tls.server.x509.serial_number:
+      dashed_name: tls-server-x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: tls.server.x509.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      original_fieldset: x509
+      short: Unique serial number issued by the certificate authority.
+      type: keyword
+    tls.server.x509.signature_algorithm:
+      dashed_name: tls-server-x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: tls.server.x509.signature_algorithm
+      ignore_above: 1024
+      level: extended
+      name: signature_algorithm
+      normalize: []
+      original_fieldset: x509
+      short: Identifier for certificate signature algorithm.
+      type: keyword
+    tls.server.x509.subject.common_name:
+      dashed_name: tls-server-x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: tls.server.x509.subject.common_name
+      ignore_above: 1024
+      level: extended
+      name: subject.common_name
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of common names (CN) of subject.
+      type: keyword
+    tls.server.x509.subject.country:
+      dashed_name: tls-server-x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: tls.server.x509.subject.country
+      ignore_above: 1024
+      level: extended
+      name: subject.country
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of country (C) code
+      type: keyword
+    tls.server.x509.subject.distinguished_name:
+      dashed_name: tls-server-x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: tls.server.x509.subject.distinguished_name
+      level: extended
+      name: subject.distinguished_name
+      normalize: []
+      original_fieldset: x509
+      short: Distinguished name (DN) of the certificate subject entity.
+      type: wildcard
+    tls.server.x509.subject.locality:
+      dashed_name: tls-server-x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: tls.server.x509.subject.locality
+      ignore_above: 1024
+      level: extended
+      name: subject.locality
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of locality names (L)
+      type: keyword
+    tls.server.x509.subject.organization:
+      dashed_name: tls-server-x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: tls.server.x509.subject.organization
+      ignore_above: 1024
+      level: extended
+      name: subject.organization
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizations (O) of subject.
+      type: keyword
+    tls.server.x509.subject.organizational_unit:
+      dashed_name: tls-server-x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: tls.server.x509.subject.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: subject.organizational_unit
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of organizational units (OU) of subject.
+      type: keyword
+    tls.server.x509.subject.state_or_province:
+      dashed_name: tls-server-x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: tls.server.x509.subject.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: subject.state_or_province
+      normalize:
+      - array
+      original_fieldset: x509
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    tls.server.x509.version_number:
+      dashed_name: tls-server-x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: tls.server.x509.version_number
+      ignore_above: 1024
+      level: extended
+      name: version_number
+      normalize: []
+      original_fieldset: x509
+      short: Version of x509 format.
+      type: keyword
+    tls.version:
+      dashed_name: tls-version
+      description: Numeric part of the version parsed from the original string.
+      example: '1.2'
+      flat_name: tls.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: Numeric part of the version parsed from the original string.
+      type: keyword
+    tls.version_protocol:
+      dashed_name: tls-version-protocol
+      description: Normalized lowercase protocol name parsed from original string.
+      example: tls
+      flat_name: tls.version_protocol
+      ignore_above: 1024
+      level: extended
+      name: version_protocol
+      normalize: []
+      short: Normalized lowercase protocol name parsed from original string.
+      type: keyword
+  group: 2
+  name: tls
+  nestings:
+  - tls.client.x509
+  - tls.server.x509
+  prefix: tls.
+  reused_here:
+  - full: tls.client.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
+  - full: tls.server.x509
+    schema_name: x509
+    short: These fields contain x509 certificate metadata.
+  short: Fields describing a TLS connection.
+  title: TLS
+  type: group
+tracing:
+  description: Distributed tracing makes it possible to analyze performance throughout
+    a microservice architecture all in one view. This is accomplished by tracing all
+    of the requests - from the initial web request in the front-end service - to queries
+    made through multiple back-end services.
+  fields:
+    span.id:
+      dashed_name: span-id
+      description: 'Unique identifier of the span within the scope of its trace.
+
+        A span represents an operation within a transaction, such as a request to
+        another service, or a database query.'
+      example: 3ff9a8981b7ccd5a
+      flat_name: span.id
+      ignore_above: 1024
+      level: extended
+      name: span.id
+      normalize: []
+      short: Unique identifier of the span within the scope of its trace.
+      type: keyword
+    trace.id:
+      dashed_name: trace-id
+      description: 'Unique identifier of the trace.
+
+        A trace groups multiple events like transactions that belong together. For
+        example, a user request handled by multiple inter-connected services.'
+      example: 4bf92f3577b34da6a3ce929d0e0e4736
+      flat_name: trace.id
+      ignore_above: 1024
+      level: extended
+      name: trace.id
+      normalize: []
+      short: Unique identifier of the trace.
+      type: keyword
+    transaction.id:
+      dashed_name: transaction-id
+      description: 'Unique identifier of the transaction within the scope of its trace.
+
+        A transaction is the highest level of work measured within a service, such
+        as a request to a server.'
+      example: 00f067aa0ba902b7
+      flat_name: transaction.id
+      ignore_above: 1024
+      level: extended
+      name: transaction.id
+      normalize: []
+      short: Unique identifier of the transaction within the scope of its trace.
+      type: keyword
+  group: 2
+  name: tracing
+  prefix: ''
+  root: true
+  short: Fields related to distributed tracing.
+  title: Tracing
+  type: group
+url:
+  description: URL fields provide support for complete or partial URLs, and supports
+    the breaking down into scheme, domain, path, and so on.
+  fields:
+    url.domain:
+      dashed_name: url-domain
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.'
+      example: www.elastic.co
+      flat_name: url.domain
+      level: extended
+      name: domain
+      normalize: []
+      short: Domain of the url.
+      type: wildcard
+    url.extension:
+      dashed_name: url-extension
+      description: 'The field contains the file extension from the original request
+        url.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".'
+      example: png
+      flat_name: url.extension
+      ignore_above: 1024
+      level: extended
+      name: extension
+      normalize: []
+      short: File extension from the original request url.
+      type: keyword
+    url.fragment:
+      dashed_name: url-fragment
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+      flat_name: url.fragment
+      ignore_above: 1024
+      level: extended
+      name: fragment
+      normalize: []
+      short: Portion of the url after the `#`.
+      type: keyword
+    url.full:
+      dashed_name: url-full
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      flat_name: url.full
+      level: extended
+      multi_fields:
+      - flat_name: url.full.text
+        name: text
+        norms: false
+        type: text
+      name: full
+      normalize: []
+      short: Full unparsed URL.
+      type: wildcard
+    url.original:
+      dashed_name: url-original
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      flat_name: url.original
+      level: extended
+      multi_fields:
+      - flat_name: url.original.text
+        name: text
+        norms: false
+        type: text
+      name: original
+      normalize: []
+      short: Unmodified original url as seen in the event source.
+      type: wildcard
+    url.password:
+      dashed_name: url-password
+      description: Password of the request.
+      flat_name: url.password
+      ignore_above: 1024
+      level: extended
+      name: password
+      normalize: []
+      short: Password of the request.
+      type: keyword
+    url.path:
+      dashed_name: url-path
+      description: Path of the request, such as "/search".
+      flat_name: url.path
+      level: extended
+      name: path
+      normalize: []
+      short: Path of the request, such as "/search".
+      type: wildcard
+    url.port:
+      dashed_name: url-port
+      description: Port of the request, such as 443.
+      example: 443
+      flat_name: url.port
+      format: string
+      level: extended
+      name: port
+      normalize: []
+      short: Port of the request, such as 443.
+      type: long
+    url.query:
+      dashed_name: url-query
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+      flat_name: url.query
+      ignore_above: 1024
+      level: extended
+      name: query
+      normalize: []
+      short: Query string of the request.
+      type: keyword
+    url.registered_domain:
+      dashed_name: url-registered-domain
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: url.registered_domain
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered url domain, stripped of the subdomain.
+      type: wildcard
+    url.scheme:
+      dashed_name: url-scheme
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+      flat_name: url.scheme
+      ignore_above: 1024
+      level: extended
+      name: scheme
+      normalize: []
+      short: Scheme of the url.
+      type: keyword
+    url.subdomain:
+      dashed_name: url-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: url.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    url.top_level_domain:
+      dashed_name: url-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: url.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    url.username:
+      dashed_name: url-username
+      description: Username of the request.
+      flat_name: url.username
+      ignore_above: 1024
+      level: extended
+      name: username
+      normalize: []
+      short: Username of the request.
+      type: keyword
+  group: 2
+  name: url
+  prefix: url.
+  short: Fields that let you store URLs in various forms.
+  title: URL
+  type: group
+user:
+  description: 'The user fields describe information about the user that is relevant
+    to the event.
+
+    Fields can have one entry or multiple entries. If a user has more than one id,
+    provide an array that includes all of them.'
+  fields:
+    user.changes.domain:
+      dashed_name: user-changes-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.changes.email:
+      dashed_name: user-changes-email
+      description: User email address.
+      flat_name: user.changes.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    user.changes.full_name:
+      dashed_name: user-changes-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.changes.full_name
+      level: extended
+      multi_fields:
+      - flat_name: user.changes.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    user.changes.group.domain:
+      dashed_name: user-changes-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.changes.group.id:
+      dashed_name: user-changes-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.changes.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.changes.group.name:
+      dashed_name: user-changes-group-name
+      description: Name of the group.
+      flat_name: user.changes.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.changes.hash:
+      dashed_name: user-changes-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.changes.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.changes.id:
+      dashed_name: user-changes-id
+      description: Unique identifier of the user.
+      flat_name: user.changes.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.changes.name:
+      dashed_name: user-changes-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.changes.name
+      level: core
+      multi_fields:
+      - flat_name: user.changes.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    user.changes.roles:
+      dashed_name: user-changes-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.changes.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+    user.domain:
+      dashed_name: user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.effective.domain:
+      dashed_name: user-effective-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.effective.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.effective.email:
+      dashed_name: user-effective-email
+      description: User email address.
+      flat_name: user.effective.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    user.effective.full_name:
+      dashed_name: user-effective-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.effective.full_name
+      level: extended
+      multi_fields:
+      - flat_name: user.effective.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    user.effective.group.domain:
+      dashed_name: user-effective-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.effective.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.effective.group.id:
+      dashed_name: user-effective-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.effective.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.effective.group.name:
+      dashed_name: user-effective-group-name
+      description: Name of the group.
+      flat_name: user.effective.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.effective.hash:
+      dashed_name: user-effective-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.effective.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.effective.id:
+      dashed_name: user-effective-id
+      description: Unique identifier of the user.
+      flat_name: user.effective.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.effective.name:
+      dashed_name: user-effective-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.effective.name
+      level: core
+      multi_fields:
+      - flat_name: user.effective.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    user.effective.roles:
+      dashed_name: user-effective-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.effective.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+    user.email:
+      dashed_name: user-email
+      description: User email address.
+      flat_name: user.email
+      level: extended
+      name: email
+      normalize: []
+      short: User email address.
+      type: wildcard
+    user.full_name:
+      dashed_name: user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.full_name
+      level: extended
+      multi_fields:
+      - flat_name: user.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      short: User's full name, if available.
+      type: wildcard
+    user.group.domain:
+      dashed_name: user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.group.id:
+      dashed_name: user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.group.name:
+      dashed_name: user-group-name
+      description: Name of the group.
+      flat_name: user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.hash:
+      dashed_name: user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.id:
+      dashed_name: user-id
+      description: Unique identifier of the user.
+      flat_name: user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier of the user.
+      type: keyword
+    user.name:
+      dashed_name: user-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.name
+      level: core
+      multi_fields:
+      - flat_name: user.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      short: Short name or login of the user.
+      type: wildcard
+    user.roles:
+      dashed_name: user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      short: Array of user roles at the time of the event.
+      type: keyword
+    user.target.domain:
+      dashed_name: user-target-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.target.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.target.email:
+      dashed_name: user-target-email
+      description: User email address.
+      flat_name: user.target.email
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: wildcard
+    user.target.full_name:
+      dashed_name: user-target-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.target.full_name
+      level: extended
+      multi_fields:
+      - flat_name: user.target.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: wildcard
+    user.target.group.domain:
+      dashed_name: user-target-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.target.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.target.group.id:
+      dashed_name: user-target-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.target.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.target.group.name:
+      dashed_name: user-target-group-name
+      description: Name of the group.
+      flat_name: user.target.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.target.hash:
+      dashed_name: user-target-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.target.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.target.id:
+      dashed_name: user-target-id
+      description: Unique identifier of the user.
+      flat_name: user.target.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.target.name:
+      dashed_name: user-target-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.target.name
+      level: core
+      multi_fields:
+      - flat_name: user.target.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: wildcard
+    user.target.roles:
+      dashed_name: user-target-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.target.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: user
+  nestings:
+  - user.changes
+  - user.effective
+  - user.group
+  - user.target
+  prefix: user.
+  reusable:
+    expected:
+    - as: user
+      at: client
+      full: client.user
+    - as: user
+      at: destination
+      full: destination.user
+    - as: user
+      at: host
+      full: host.user
+    - as: user
+      at: server
+      full: server.user
+    - as: user
+      at: source
+      full: source.user
+    - as: target
+      at: user
+      full: user.target
+    - as: effective
+      at: user
+      full: user.effective
+    - as: changes
+      at: user
+      full: user.changes
+    top_level: true
+  reused_here:
+  - full: user.group
+    schema_name: group
+    short: User's group relevant to the event.
+  - full: user.target
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  - full: user.effective
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  - full: user.changes
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  short: Fields to describe the user relevant to the event.
+  title: User
+  type: group
+user_agent:
+  description: 'The user_agent fields normally come from a browser request.
+
+    They often show up in web service logs coming from the parsed user agent string.'
+  fields:
+    user_agent.device.name:
+      dashed_name: user-agent-device-name
+      description: Name of the device.
+      example: iPhone
+      flat_name: user_agent.device.name
+      ignore_above: 1024
+      level: extended
+      name: device.name
+      normalize: []
+      short: Name of the device.
+      type: keyword
+    user_agent.name:
+      dashed_name: user-agent-name
+      description: Name of the user agent.
+      example: Safari
+      flat_name: user_agent.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Name of the user agent.
+      type: keyword
+    user_agent.original:
+      dashed_name: user-agent-original
+      description: Unparsed user_agent string.
+      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+      flat_name: user_agent.original
+      level: extended
+      multi_fields:
+      - flat_name: user_agent.original.text
+        name: text
+        norms: false
+        type: text
+      name: original
+      normalize: []
+      short: Unparsed user_agent string.
+      type: wildcard
+    user_agent.os.family:
+      dashed_name: user-agent-os-family
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+      flat_name: user_agent.os.family
+      ignore_above: 1024
+      level: extended
+      name: family
+      normalize: []
+      original_fieldset: os
+      short: OS family (such as redhat, debian, freebsd, windows).
+      type: keyword
+    user_agent.os.full:
+      dashed_name: user-agent-os-full
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+      flat_name: user_agent.os.full
+      level: extended
+      multi_fields:
+      - flat_name: user_agent.os.full.text
+        name: text
+        norms: false
+        type: text
+      name: full
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, including the version or code name.
+      type: wildcard
+    user_agent.os.kernel:
+      dashed_name: user-agent-os-kernel
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+      flat_name: user_agent.os.kernel
+      ignore_above: 1024
+      level: extended
+      name: kernel
+      normalize: []
+      original_fieldset: os
+      short: Operating system kernel version as a raw string.
+      type: keyword
+    user_agent.os.name:
+      dashed_name: user-agent-os-name
+      description: Operating system name, without the version.
+      example: Mac OS X
+      flat_name: user_agent.os.name
+      level: extended
+      multi_fields:
+      - flat_name: user_agent.os.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, without the version.
+      type: wildcard
+    user_agent.os.platform:
+      dashed_name: user-agent-os-platform
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+      flat_name: user_agent.os.platform
+      ignore_above: 1024
+      level: extended
+      name: platform
+      normalize: []
+      original_fieldset: os
+      short: Operating system platform (such centos, ubuntu, windows).
+      type: keyword
+    user_agent.os.version:
+      dashed_name: user-agent-os-version
+      description: Operating system version as a raw string.
+      example: 10.14.1
+      flat_name: user_agent.os.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      original_fieldset: os
+      short: Operating system version as a raw string.
+      type: keyword
+    user_agent.version:
+      dashed_name: user-agent-version
+      description: Version of the user agent.
+      example: 12.0
+      flat_name: user_agent.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: Version of the user agent.
+      type: keyword
+  group: 2
+  name: user_agent
+  nestings:
+  - user_agent.os
+  prefix: user_agent.
+  reused_here:
+  - full: user_agent.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields to describe a browser user_agent string.
+  title: User agent
+  type: group
+vlan:
+  description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet, as
+    well as ingress and egress VLAN associations of an observer in relation to a specific
+    packet or connection.
+
+    Network.vlan fields are used to record a single VLAN tag, or the outer tag in
+    the case of q-in-q encapsulations, for a packet or connection as observed, typically
+    provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
+
+    Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
+    802.1q encapsulations) as observed, typically provided by a network sensor  (e.g.
+    Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
+    only be used in addition to network.vlan fields to indicate q-in-q tagging.
+
+    Observer.ingress and observer.egress VLAN values are used to record observer specific
+    information when observer events contain discrete ingress and egress VLAN information,
+    typically provided by firewalls, routers, or load balancers.'
+  fields:
+    vlan.id:
+      dashed_name: vlan-id
+      description: VLAN ID as reported by the observer.
+      example: 10
+      flat_name: vlan.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: VLAN ID as reported by the observer.
+      type: keyword
+    vlan.name:
+      dashed_name: vlan-name
+      description: Optional VLAN name as reported by the observer.
+      example: outside
+      flat_name: vlan.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      short: Optional VLAN name as reported by the observer.
+      type: keyword
+  group: 2
+  name: vlan
+  prefix: vlan.
+  reusable:
+    expected:
+    - as: vlan
+      at: observer.ingress
+      full: observer.ingress.vlan
+    - as: vlan
+      at: observer.egress
+      full: observer.egress.vlan
+    - as: vlan
+      at: network
+      full: network.vlan
+    - as: vlan
+      at: network.inner
+      full: network.inner.vlan
+    top_level: false
+  short: Fields to describe observed VLAN information.
+  title: VLAN
+  type: group
+vulnerability:
+  description: The vulnerability fields describe information about a vulnerability
+    that is relevant to an event.
+  fields:
+    vulnerability.category:
+      dashed_name: vulnerability-category
+      description: 'The type of system or architecture that the vulnerability affects.
+        These may be platform-specific (for example, Debian or SUSE) or general (for
+        example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
+        vulnerability categories])
+
+        This field must be an array.'
+      example: '["Firewall"]'
+      flat_name: vulnerability.category
+      ignore_above: 1024
+      level: extended
+      name: category
+      normalize:
+      - array
+      short: Category of a vulnerability.
+      type: keyword
+    vulnerability.classification:
+      dashed_name: vulnerability-classification
+      description: The classification of the vulnerability scoring system. For example
+        (https://www.first.org/cvss/)
+      example: CVSS
+      flat_name: vulnerability.classification
+      ignore_above: 1024
+      level: extended
+      name: classification
+      normalize: []
+      short: Classification of the vulnerability.
+      type: keyword
+    vulnerability.description:
+      dashed_name: vulnerability-description
+      description: The description of the vulnerability that provides additional context
+        of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
+        Vulnerabilities and Exposure CVE description])
+      example: In macOS before 2.12.6, there is a vulnerability in the RPC...
+      flat_name: vulnerability.description
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: vulnerability.description.text
+        name: text
+        norms: false
+        type: text
+      name: description
+      normalize: []
+      short: Description of the vulnerability.
+      type: keyword
+    vulnerability.enumeration:
+      dashed_name: vulnerability-enumeration
+      description: The type of identifier used for this vulnerability. For example
+        (https://cve.mitre.org/about/)
+      example: CVE
+      flat_name: vulnerability.enumeration
+      ignore_above: 1024
+      level: extended
+      name: enumeration
+      normalize: []
+      short: Identifier of the vulnerability.
+      type: keyword
+    vulnerability.id:
+      dashed_name: vulnerability-id
+      description: The identification (ID) is the number portion of a vulnerability
+        entry. It includes a unique identification number for the vulnerability. For
+        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
+        and Exposure CVE ID]
+      example: CVE-2019-00001
+      flat_name: vulnerability.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: ID of the vulnerability.
+      type: keyword
+    vulnerability.reference:
+      dashed_name: vulnerability-reference
+      description: A resource that provides additional information, context, and mitigations
+        for the identified vulnerability.
+      example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
+      flat_name: vulnerability.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: Reference of the vulnerability.
+      type: keyword
+    vulnerability.report_id:
+      dashed_name: vulnerability-report-id
+      description: The report or scan identification number.
+      example: 20191018.0001
+      flat_name: vulnerability.report_id
+      ignore_above: 1024
+      level: extended
+      name: report_id
+      normalize: []
+      short: Scan identification number.
+      type: keyword
+    vulnerability.scanner.vendor:
+      dashed_name: vulnerability-scanner-vendor
+      description: The name of the vulnerability scanner vendor.
+      example: Tenable
+      flat_name: vulnerability.scanner.vendor
+      ignore_above: 1024
+      level: extended
+      name: scanner.vendor
+      normalize: []
+      short: Name of the scanner vendor.
+      type: keyword
+    vulnerability.score.base:
+      dashed_name: vulnerability-score-base
+      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+        Base scores cover an assessment for exploitability metrics (attack vector,
+        complexity, privileges, and user interaction), impact metrics (confidentiality,
+        integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
+      example: 5.5
+      flat_name: vulnerability.score.base
+      level: extended
+      name: score.base
+      normalize: []
+      short: Vulnerability Base score.
+      type: float
+    vulnerability.score.environmental:
+      dashed_name: vulnerability-score-environmental
+      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+        Environmental scores cover an assessment for any modified Base metrics, confidentiality,
+        integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
+      example: 5.5
+      flat_name: vulnerability.score.environmental
+      level: extended
+      name: score.environmental
+      normalize: []
+      short: Vulnerability Environmental score.
+      type: float
+    vulnerability.score.temporal:
+      dashed_name: vulnerability-score-temporal
+      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+
+        Temporal scores cover an assessment for code maturity, remediation level,
+        and confidence. For example (https://www.first.org/cvss/specification-document)'
+      flat_name: vulnerability.score.temporal
+      level: extended
+      name: score.temporal
+      normalize: []
+      short: Vulnerability Temporal score.
+      type: float
+    vulnerability.score.version:
+      dashed_name: vulnerability-score-version
+      description: 'The National Vulnerability Database (NVD) provides qualitative
+        severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score
+        ranges in addition to the severity ratings for CVSS v3.0 as they are defined
+        in the CVSS v3.0 specification.
+
+        CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
+        organization, whose mission is to help computer security incident response
+        teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
+      example: 2.0
+      flat_name: vulnerability.score.version
+      ignore_above: 1024
+      level: extended
+      name: score.version
+      normalize: []
+      short: CVSS version.
+      type: keyword
+    vulnerability.severity:
+      dashed_name: vulnerability-severity
+      description: The severity of the vulnerability can help with metrics and internal
+        prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+      example: Critical
+      flat_name: vulnerability.severity
+      ignore_above: 1024
+      level: extended
+      name: severity
+      normalize: []
+      short: Severity of the vulnerability.
+      type: keyword
+  group: 2
+  name: vulnerability
+  prefix: vulnerability.
+  short: Fields to describe the vulnerability relevant to an event.
+  title: Vulnerability
+  type: group
+x509:
+  description: This implements the common core fields for x509 certificates. This
+    information is likely logged with TLS sessions, digital signatures found in executable
+    binaries, S/MIME information in email bodies, or analysis of files on disk. When
+    only a single certificate is logged in an event, it should be nested under `file`.
+    When hashes of the DER-encoded certificate are available, the `hash` data set
+    should be populated as well (e.g. `file.hash.sha256`). For events that contain
+    certificate information for both sides of the connection, the x509 object could
+    be nested under the respective side of the connection information (e.g. `tls.server.x509`).
+  fields:
+    x509.alternative_names:
+      dashed_name: x509-alternative-names
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      flat_name: x509.alternative_names
+      ignore_above: 1024
+      level: extended
+      name: alternative_names
+      normalize:
+      - array
+      short: List of subject alternative names (SAN).
+      type: keyword
+    x509.issuer.common_name:
+      dashed_name: x509-issuer-common-name
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      flat_name: x509.issuer.common_name
+      ignore_above: 1024
+      level: extended
+      name: issuer.common_name
+      normalize:
+      - array
+      short: List of common name (CN) of issuing certificate authority.
+      type: keyword
+    x509.issuer.country:
+      dashed_name: x509-issuer-country
+      description: List of country (C) codes
+      example: US
+      flat_name: x509.issuer.country
+      ignore_above: 1024
+      level: extended
+      name: issuer.country
+      normalize:
+      - array
+      short: List of country (C) codes
+      type: keyword
+    x509.issuer.distinguished_name:
+      dashed_name: x509-issuer-distinguished-name
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      flat_name: x509.issuer.distinguished_name
+      level: extended
+      name: issuer.distinguished_name
+      normalize: []
+      short: Distinguished name (DN) of issuing certificate authority.
+      type: wildcard
+    x509.issuer.locality:
+      dashed_name: x509-issuer-locality
+      description: List of locality names (L)
+      example: Mountain View
+      flat_name: x509.issuer.locality
+      ignore_above: 1024
+      level: extended
+      name: issuer.locality
+      normalize:
+      - array
+      short: List of locality names (L)
+      type: keyword
+    x509.issuer.organization:
+      dashed_name: x509-issuer-organization
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      flat_name: x509.issuer.organization
+      ignore_above: 1024
+      level: extended
+      name: issuer.organization
+      normalize:
+      - array
+      short: List of organizations (O) of issuing certificate authority.
+      type: keyword
+    x509.issuer.organizational_unit:
+      dashed_name: x509-issuer-organizational-unit
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      flat_name: x509.issuer.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: issuer.organizational_unit
+      normalize:
+      - array
+      short: List of organizational units (OU) of issuing certificate authority.
+      type: keyword
+    x509.issuer.state_or_province:
+      dashed_name: x509-issuer-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: x509.issuer.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: issuer.state_or_province
+      normalize:
+      - array
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    x509.not_after:
+      dashed_name: x509-not-after
+      description: Time at which the certificate is no longer considered valid.
+      example: 2020-07-16 03:15:39+00:00
+      flat_name: x509.not_after
+      level: extended
+      name: not_after
+      normalize: []
+      short: Time at which the certificate is no longer considered valid.
+      type: date
+    x509.not_before:
+      dashed_name: x509-not-before
+      description: Time at which the certificate is first considered valid.
+      example: 2019-08-16 01:40:25+00:00
+      flat_name: x509.not_before
+      level: extended
+      name: not_before
+      normalize: []
+      short: Time at which the certificate is first considered valid.
+      type: date
+    x509.public_key_algorithm:
+      dashed_name: x509-public-key-algorithm
+      description: Algorithm used to generate the public key.
+      example: RSA
+      flat_name: x509.public_key_algorithm
+      ignore_above: 1024
+      level: extended
+      name: public_key_algorithm
+      normalize: []
+      short: Algorithm used to generate the public key.
+      type: keyword
+    x509.public_key_curve:
+      dashed_name: x509-public-key-curve
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
+      flat_name: x509.public_key_curve
+      ignore_above: 1024
+      level: extended
+      name: public_key_curve
+      normalize: []
+      short: The curve used by the elliptic curve public key algorithm. This is algorithm
+        specific.
+      type: keyword
+    x509.public_key_exponent:
+      dashed_name: x509-public-key-exponent
+      description: Exponent used to derive the public key. This is algorithm specific.
+      doc_values: false
+      example: 65537
+      flat_name: x509.public_key_exponent
+      index: false
+      level: extended
+      name: public_key_exponent
+      normalize: []
+      short: Exponent used to derive the public key. This is algorithm specific.
+      type: long
+    x509.public_key_size:
+      dashed_name: x509-public-key-size
+      description: The size of the public key space in bits.
+      example: 2048
+      flat_name: x509.public_key_size
+      level: extended
+      name: public_key_size
+      normalize: []
+      short: The size of the public key space in bits.
+      type: long
+    x509.serial_number:
+      dashed_name: x509-serial-number
+      description: Unique serial number issued by the certificate authority. For consistency,
+        if this value is alphanumeric, it should be formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
+      flat_name: x509.serial_number
+      ignore_above: 1024
+      level: extended
+      name: serial_number
+      normalize: []
+      short: Unique serial number issued by the certificate authority.
+      type: keyword
+    x509.signature_algorithm:
+      dashed_name: x509-signature-algorithm
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
+      flat_name: x509.signature_algorithm
+      ignore_above: 1024
+      level: extended
+      name: signature_algorithm
+      normalize: []
+      short: Identifier for certificate signature algorithm.
+      type: keyword
+    x509.subject.common_name:
+      dashed_name: x509-subject-common-name
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
+      flat_name: x509.subject.common_name
+      ignore_above: 1024
+      level: extended
+      name: subject.common_name
+      normalize:
+      - array
+      short: List of common names (CN) of subject.
+      type: keyword
+    x509.subject.country:
+      dashed_name: x509-subject-country
+      description: List of country (C) code
+      example: US
+      flat_name: x509.subject.country
+      ignore_above: 1024
+      level: extended
+      name: subject.country
+      normalize:
+      - array
+      short: List of country (C) code
+      type: keyword
+    x509.subject.distinguished_name:
+      dashed_name: x509-subject-distinguished-name
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      flat_name: x509.subject.distinguished_name
+      level: extended
+      name: subject.distinguished_name
+      normalize: []
+      short: Distinguished name (DN) of the certificate subject entity.
+      type: wildcard
+    x509.subject.locality:
+      dashed_name: x509-subject-locality
+      description: List of locality names (L)
+      example: San Francisco
+      flat_name: x509.subject.locality
+      ignore_above: 1024
+      level: extended
+      name: subject.locality
+      normalize:
+      - array
+      short: List of locality names (L)
+      type: keyword
+    x509.subject.organization:
+      dashed_name: x509-subject-organization
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
+      flat_name: x509.subject.organization
+      ignore_above: 1024
+      level: extended
+      name: subject.organization
+      normalize:
+      - array
+      short: List of organizations (O) of subject.
+      type: keyword
+    x509.subject.organizational_unit:
+      dashed_name: x509-subject-organizational-unit
+      description: List of organizational units (OU) of subject.
+      flat_name: x509.subject.organizational_unit
+      ignore_above: 1024
+      level: extended
+      name: subject.organizational_unit
+      normalize:
+      - array
+      short: List of organizational units (OU) of subject.
+      type: keyword
+    x509.subject.state_or_province:
+      dashed_name: x509-subject-state-or-province
+      description: List of state or province names (ST, S, or P)
+      example: California
+      flat_name: x509.subject.state_or_province
+      ignore_above: 1024
+      level: extended
+      name: subject.state_or_province
+      normalize:
+      - array
+      short: List of state or province names (ST, S, or P)
+      type: keyword
+    x509.version_number:
+      dashed_name: x509-version-number
+      description: Version of x509 format.
+      example: 3
+      flat_name: x509.version_number
+      ignore_above: 1024
+      level: extended
+      name: version_number
+      normalize: []
+      short: Version of x509 format.
+      type: keyword
+  group: 2
+  name: x509
+  prefix: x509.
+  reusable:
+    expected:
+    - as: x509
+      at: file
+      full: file.x509
+    - as: x509
+      at: tls.client
+      full: tls.client.x509
+    - as: x509
+      at: tls.server
+      full: tls.server.x509
+    top_level: false
+  short: These fields contain x509 certificate metadata.
+  title: x509 Certificate
+  type: group
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
new file mode 100644
index 0000000000..7099fcb8c7
--- /dev/null
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -0,0 +1,3332 @@
+{
+  "index_patterns": [
+    "ecs-*"
+  ],
+  "mappings": {
+    "_meta": {
+      "version": "1.7.0-dev"
+    },
+    "date_detection": false,
+    "dynamic_templates": [
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "agent": {
+        "properties": {
+          "build": {
+            "properties": {
+              "original": {
+                "type": "wildcard"
+              }
+            }
+          },
+          "ephemeral_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "client": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "type": "wildcard"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "type": "wildcard"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "cloud": {
+        "properties": {
+          "account": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "availability_zone": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "instance": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "machine": {
+            "properties": {
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "project": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "provider": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "region": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "container": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "image": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tag": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "labels": {
+            "type": "object"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "runtime": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "destination": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "type": "wildcard"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "type": "wildcard"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "dll": {
+        "properties": {
+          "code_signature": {
+            "properties": {
+              "exists": {
+                "type": "boolean"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "original_file_name": {
+                "type": "wildcard"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "dns": {
+        "properties": {
+          "answers": {
+            "properties": {
+              "class": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "data": {
+                "type": "wildcard"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ttl": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "header_flags": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "op_code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "question": {
+            "properties": {
+              "class": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "registered_domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subdomain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "top_level_domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "resolved_ip": {
+            "type": "ip"
+          },
+          "response_code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "ecs": {
+        "properties": {
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "error": {
+        "properties": {
+          "code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "message": {
+            "norms": false,
+            "type": "text"
+          },
+          "stack_trace": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "type": {
+            "type": "wildcard"
+          }
+        }
+      },
+      "event": {
+        "properties": {
+          "action": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "created": {
+            "type": "date"
+          },
+          "dataset": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "duration": {
+            "type": "long"
+          },
+          "end": {
+            "type": "date"
+          },
+          "hash": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ingested": {
+            "type": "date"
+          },
+          "kind": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "module": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "original": {
+            "doc_values": false,
+            "index": false,
+            "type": "wildcard"
+          },
+          "outcome": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "provider": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reason": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "risk_score": {
+            "type": "float"
+          },
+          "risk_score_norm": {
+            "type": "float"
+          },
+          "sequence": {
+            "type": "long"
+          },
+          "severity": {
+            "type": "long"
+          },
+          "start": {
+            "type": "date"
+          },
+          "timezone": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "url": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "file": {
+        "properties": {
+          "accessed": {
+            "type": "date"
+          },
+          "attributes": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "code_signature": {
+            "properties": {
+              "exists": {
+                "type": "boolean"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "created": {
+            "type": "date"
+          },
+          "ctime": {
+            "type": "date"
+          },
+          "device": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "directory": {
+            "type": "wildcard"
+          },
+          "drive_letter": {
+            "ignore_above": 1,
+            "type": "keyword"
+          },
+          "extension": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "gid": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "group": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "hash": {
+            "properties": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "inode": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mime_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mode": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "mtime": {
+            "type": "date"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "owner": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "original_file_name": {
+                "type": "wildcard"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "size": {
+            "type": "long"
+          },
+          "target_path": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uid": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "x509": {
+            "properties": {
+              "alternative_names": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "issuer": {
+                "properties": {
+                  "common_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "distinguished_name": {
+                    "type": "wildcard"
+                  },
+                  "locality": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organization": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organizational_unit": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "state_or_province": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "not_after": {
+                "type": "date"
+              },
+              "not_before": {
+                "type": "date"
+              },
+              "public_key_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "public_key_curve": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "public_key_exponent": {
+                "doc_values": false,
+                "index": false,
+                "type": "long"
+              },
+              "public_key_size": {
+                "type": "long"
+              },
+              "serial_number": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "signature_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject": {
+                "properties": {
+                  "common_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "distinguished_name": {
+                    "type": "wildcard"
+                  },
+                  "locality": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organization": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "organizational_unit": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "state_or_province": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "version_number": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "group": {
+        "properties": {
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "architecture": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hostname": {
+            "type": "wildcard"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uptime": {
+            "type": "long"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "http": {
+        "properties": {
+          "request": {
+            "properties": {
+              "body": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "content": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              },
+              "bytes": {
+                "type": "long"
+              },
+              "method": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "referrer": {
+                "type": "wildcard"
+              }
+            }
+          },
+          "response": {
+            "properties": {
+              "body": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "content": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              },
+              "bytes": {
+                "type": "long"
+              },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status_code": {
+                "type": "long"
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "labels": {
+        "type": "object"
+      },
+      "log": {
+        "properties": {
+          "file": {
+            "properties": {
+              "path": {
+                "type": "wildcard"
+              }
+            }
+          },
+          "level": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "logger": {
+            "type": "wildcard"
+          },
+          "origin": {
+            "properties": {
+              "file": {
+                "properties": {
+                  "line": {
+                    "type": "integer"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "function": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "original": {
+            "doc_values": false,
+            "ignore_above": 1024,
+            "index": false,
+            "type": "keyword"
+          },
+          "syslog": {
+            "properties": {
+              "facility": {
+                "properties": {
+                  "code": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "priority": {
+                "type": "long"
+              },
+              "severity": {
+                "properties": {
+                  "code": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            },
+            "type": "object"
+          }
+        }
+      },
+      "message": {
+        "norms": false,
+        "type": "text"
+      },
+      "network": {
+        "properties": {
+          "application": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "community_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "direction": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "forwarded_ip": {
+            "type": "ip"
+          },
+          "iana_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "inner": {
+            "properties": {
+              "vlan": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            },
+            "type": "object"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "packets": {
+            "type": "long"
+          },
+          "protocol": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "transport": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vlan": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "observer": {
+        "properties": {
+          "egress": {
+            "properties": {
+              "interface": {
+                "properties": {
+                  "alias": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vlan": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hostname": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ingress": {
+            "properties": {
+              "interface": {
+                "properties": {
+                  "alias": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vlan": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "zone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "product": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "serial_number": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "vendor": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "organization": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          }
+        }
+      },
+      "package": {
+        "properties": {
+          "architecture": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "build_version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "checksum": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "install_scope": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "installed": {
+            "type": "date"
+          },
+          "license": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "size": {
+            "type": "long"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "process": {
+        "properties": {
+          "args": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "args_count": {
+            "type": "long"
+          },
+          "code_signature": {
+            "properties": {
+              "exists": {
+                "type": "boolean"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "command_line": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "entity_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "executable": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "exit_code": {
+            "type": "long"
+          },
+          "hash": {
+            "properties": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "parent": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "code_signature": {
+                "properties": {
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "original_file_name": {
+                    "type": "wildcard"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "pgid": {
+                "type": "long"
+              },
+              "pid": {
+                "type": "long"
+              },
+              "ppid": {
+                "type": "long"
+              },
+              "start": {
+                "type": "date"
+              },
+              "thread": {
+                "properties": {
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              }
+            }
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "original_file_name": {
+                "type": "wildcard"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pgid": {
+            "type": "long"
+          },
+          "pid": {
+            "type": "long"
+          },
+          "ppid": {
+            "type": "long"
+          },
+          "start": {
+            "type": "date"
+          },
+          "thread": {
+            "properties": {
+              "id": {
+                "type": "long"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "title": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "uptime": {
+            "type": "long"
+          },
+          "working_directory": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          }
+        }
+      },
+      "registry": {
+        "properties": {
+          "data": {
+            "properties": {
+              "bytes": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "strings": {
+                "type": "wildcard"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hive": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "key": {
+            "type": "wildcard"
+          },
+          "path": {
+            "type": "wildcard"
+          },
+          "value": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "related": {
+        "properties": {
+          "hash": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "hosts": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "user": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "rule": {
+        "properties": {
+          "author": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "license": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ruleset": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uuid": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "server": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "type": "wildcard"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "type": "wildcard"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "service": {
+        "properties": {
+          "ephemeral_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "node": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "state": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "source": {
+        "properties": {
+          "address": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "as": {
+            "properties": {
+              "number": {
+                "type": "long"
+              },
+              "organization": {
+                "properties": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              }
+            }
+          },
+          "bytes": {
+            "type": "long"
+          },
+          "domain": {
+            "type": "wildcard"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "type": "wildcard"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "type": "wildcard"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "span": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "tags": {
+        "ignore_above": 1024,
+        "type": "keyword"
+      },
+      "threat": {
+        "properties": {
+          "framework": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "tactic": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "technique": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subtechnique": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "tls": {
+        "properties": {
+          "cipher": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "client": {
+            "properties": {
+              "certificate": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "certificate_chain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "issuer": {
+                "type": "wildcard"
+              },
+              "ja3": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "not_after": {
+                "type": "date"
+              },
+              "not_before": {
+                "type": "date"
+              },
+              "server_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject": {
+                "type": "wildcard"
+              },
+              "supported_ciphers": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "x509": {
+                "properties": {
+                  "alternative_names": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "issuer": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "type": "wildcard"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "not_after": {
+                    "type": "date"
+                  },
+                  "not_before": {
+                    "type": "date"
+                  },
+                  "public_key_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_curve": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_exponent": {
+                    "doc_values": false,
+                    "index": false,
+                    "type": "long"
+                  },
+                  "public_key_size": {
+                    "type": "long"
+                  },
+                  "serial_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signature_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "type": "wildcard"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "version_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "curve": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "established": {
+            "type": "boolean"
+          },
+          "next_protocol": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "resumed": {
+            "type": "boolean"
+          },
+          "server": {
+            "properties": {
+              "certificate": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "certificate_chain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "issuer": {
+                "type": "wildcard"
+              },
+              "ja3s": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "not_after": {
+                "type": "date"
+              },
+              "not_before": {
+                "type": "date"
+              },
+              "subject": {
+                "type": "wildcard"
+              },
+              "x509": {
+                "properties": {
+                  "alternative_names": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "issuer": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "type": "wildcard"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "not_after": {
+                    "type": "date"
+                  },
+                  "not_before": {
+                    "type": "date"
+                  },
+                  "public_key_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_curve": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "public_key_exponent": {
+                    "doc_values": false,
+                    "index": false,
+                    "type": "long"
+                  },
+                  "public_key_size": {
+                    "type": "long"
+                  },
+                  "serial_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signature_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject": {
+                    "properties": {
+                      "common_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "distinguished_name": {
+                        "type": "wildcard"
+                      },
+                      "locality": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organization": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "organizational_unit": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "state_or_province": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "version_number": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "version_protocol": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "trace": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "transaction": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "url": {
+        "properties": {
+          "domain": {
+            "type": "wildcard"
+          },
+          "extension": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "fragment": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "full": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "original": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "password": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "type": "wildcard"
+          },
+          "port": {
+            "type": "long"
+          },
+          "query": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "registered_domain": {
+            "type": "wildcard"
+          },
+          "scheme": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "username": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "user": {
+        "properties": {
+          "changes": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "effective": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "email": {
+            "type": "wildcard"
+          },
+          "full_name": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "roles": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "target": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "type": "wildcard"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "user_agent": {
+        "properties": {
+          "device": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "original": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "vulnerability": {
+        "properties": {
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "classification": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "description": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "enumeration": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "report_id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "scanner": {
+            "properties": {
+              "vendor": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "score": {
+            "properties": {
+              "base": {
+                "type": "float"
+              },
+              "environmental": {
+                "type": "float"
+              },
+              "temporal": {
+                "type": "float"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "severity": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      }
+    }
+  },
+  "order": 1,
+  "settings": {
+    "index": {
+      "mapping": {
+        "total_fields": {
+          "limit": 10000
+        }
+      },
+      "refresh_interval": "5s"
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml
new file mode 100644
index 0000000000..d09e77111d
--- /dev/null
+++ b/experimental/schemas/agent.yml
@@ -0,0 +1,5 @@
+---
+- name: agent
+  fields:
+    - name: build.original
+      type: wildcard
diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml
new file mode 100644
index 0000000000..96cf45621c
--- /dev/null
+++ b/experimental/schemas/as.yml
@@ -0,0 +1,5 @@
+---
+- name: as
+  fields:
+    - name: organization.name
+      type: wildcard
diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml
new file mode 100644
index 0000000000..14ed3a9a37
--- /dev/null
+++ b/experimental/schemas/client.yml
@@ -0,0 +1,7 @@
+---
+  - name: client
+    fields:
+      - name: domain
+        type: wildcard
+      - name: registered_domain
+        type: wildcard
diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml
new file mode 100644
index 0000000000..d64a84c6be
--- /dev/null
+++ b/experimental/schemas/destination.yml
@@ -0,0 +1,7 @@
+---
+  - name: destination
+    fields:
+      - name: domain
+        type: wildcard
+      - name: registered_domain
+        type: wildcard
diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml
new file mode 100644
index 0000000000..54f9ccd69a
--- /dev/null
+++ b/experimental/schemas/dns.yml
@@ -0,0 +1,7 @@
+---
+- name: dns
+  fields:
+    - name: question.name
+      type: wildcard
+    - name: answers.data
+      type: wildcard
diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml
new file mode 100644
index 0000000000..f2004d3fe0
--- /dev/null
+++ b/experimental/schemas/error.yml
@@ -0,0 +1,9 @@
+---
+- name: error
+  fields:
+    - name: stack_trace
+      index: true
+      type: wildcard
+
+    - name: type
+      type: wildcard
diff --git a/experimental/schemas/event.yml b/experimental/schemas/event.yml
new file mode 100644
index 0000000000..07daa3ac87
--- /dev/null
+++ b/experimental/schemas/event.yml
@@ -0,0 +1,5 @@
+---
+- name: event
+  fields:
+    - name: original
+      type: wildcard
diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml
new file mode 100644
index 0000000000..f4938d38be
--- /dev/null
+++ b/experimental/schemas/file.yml
@@ -0,0 +1,9 @@
+---
+- name: file
+  fields:
+    - name: directory
+      type: wildcard
+    - name: path
+      type: wildcard
+    - name: target_path
+      type: wildcard
diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml
new file mode 100644
index 0000000000..d3445a5a2b
--- /dev/null
+++ b/experimental/schemas/geo.yml
@@ -0,0 +1,5 @@
+---
+  - name: geo
+    fields:
+      - name: name
+        type: wildcard
diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml
new file mode 100644
index 0000000000..91f3d1bbc2
--- /dev/null
+++ b/experimental/schemas/host.yml
@@ -0,0 +1,4 @@
+- name: host
+  fields:
+    - name: hostname
+      type: wildcard
diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml
new file mode 100644
index 0000000000..1722cdc5e7
--- /dev/null
+++ b/experimental/schemas/http.yml
@@ -0,0 +1,9 @@
+---
+- name: http
+  fields:
+    - name: request.body.content
+      type: wildcard
+    - name: request.referrer
+      type: wildcard
+    - name: response.body.content
+      type: wildcard
diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml
new file mode 100644
index 0000000000..8a2f2dd397
--- /dev/null
+++ b/experimental/schemas/log.yml
@@ -0,0 +1,7 @@
+---
+- name: log
+  fields:
+    - name: file.path
+      type: wildcard
+    - name: logger
+      type: wildcard
diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml
new file mode 100644
index 0000000000..594581413b
--- /dev/null
+++ b/experimental/schemas/organization.yml
@@ -0,0 +1,5 @@
+---
+- name: organization
+  fields:
+    - name: name
+      type: wildcard
diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml
new file mode 100644
index 0000000000..ec9d71a79c
--- /dev/null
+++ b/experimental/schemas/os.yml
@@ -0,0 +1,7 @@
+---
+- name: os
+  fields:
+    - name: name
+      type: wildcard
+    - name: full
+      type: wildcard
diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml
new file mode 100644
index 0000000000..77a0574348
--- /dev/null
+++ b/experimental/schemas/pe.yml
@@ -0,0 +1,5 @@
+---
+- name: pe
+  fields:
+    - name: original_file_name
+      type: wildcard
diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml
new file mode 100644
index 0000000000..da492e4564
--- /dev/null
+++ b/experimental/schemas/process.yml
@@ -0,0 +1,13 @@
+---
+- name: process
+  fields:
+    - name: command_line
+      type: wildcard
+    - name: executable
+      type: wildcard
+    - name: name
+      type: wildcard
+    - name: title
+      type: wildcard
+    - name: working_directory
+      type: wildcard
diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml
new file mode 100644
index 0000000000..66f6f6b22c
--- /dev/null
+++ b/experimental/schemas/registry.yml
@@ -0,0 +1,9 @@
+---
+- name: registry
+  fields:
+    - name: key
+      type: wildcard
+    - name: path
+      type: wildcard
+    - name: data.strings
+      type: wildcard
diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml
new file mode 100644
index 0000000000..70c285f374
--- /dev/null
+++ b/experimental/schemas/server.yml
@@ -0,0 +1,7 @@
+---
+  - name: server
+    fields:
+      - name: domain
+        type: wildcard
+      - name: registered_domain
+        type: wildcard
diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml
new file mode 100644
index 0000000000..d810a6cb79
--- /dev/null
+++ b/experimental/schemas/source.yml
@@ -0,0 +1,7 @@
+---
+- name: source
+  fields:
+    - name: domain
+      type: wildcard
+    - name: registered_domain
+      type: wildcard
diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml
new file mode 100644
index 0000000000..4f5378a313
--- /dev/null
+++ b/experimental/schemas/tls.yml
@@ -0,0 +1,11 @@
+---
+- name: tls
+  fields:
+    - name: client.issuer
+      type: wildcard
+    - name: client.subject
+      type: wildcard
+    - name: server.issuer
+      type: wildcard
+    - name: server.subject
+      type: wildcard
diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml
new file mode 100644
index 0000000000..0d5f66c36a
--- /dev/null
+++ b/experimental/schemas/url.yml
@@ -0,0 +1,13 @@
+---
+- name: url
+  fields:
+    - name: original
+      type: wildcard
+    - name: full
+      type: wildcard
+    - name: path
+      type: wildcard
+    - name: domain
+      type: wildcard
+    - name: registered_domain
+      type: wildcard
diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml
new file mode 100644
index 0000000000..b2af27d5ab
--- /dev/null
+++ b/experimental/schemas/user.yml
@@ -0,0 +1,17 @@
+---
+- name: user
+  fields:
+    - name: name
+      type: wildcard
+    - name: full_name
+      type: wildcard
+    - name: email
+      type: wildcard
+  reusable:
+    expected:
+      - at: user
+        as: target
+      - at: user
+        as: effective
+      - at: user
+        as: changes
diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml
new file mode 100644
index 0000000000..c413a9d702
--- /dev/null
+++ b/experimental/schemas/user_agent.yml
@@ -0,0 +1,5 @@
+---
+- name: user_agent
+  fields:
+    - name: original
+      type: wildcard
diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml
new file mode 100644
index 0000000000..d1c7d8af6b
--- /dev/null
+++ b/experimental/schemas/x509.yml
@@ -0,0 +1,7 @@
+---
+- name: x509
+  fields:
+    - name: issuer.distinguished_name
+      type: wildcard
+    - name: subject.distinguished_name
+      type: wildcard

From 947f4108077fe1c212207df6cdd8ae248b6a7b0f Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Tue, 6 Oct 2020 15:10:26 -0400
Subject: [PATCH 23/90] Bump version to 1.8.0-dev in branch 1.x (#1011)

---
 code/go/ecs/version.go                        |    2 +-
 docs/fields.asciidoc                          |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 1438 ++++++++---------
 .../generated/elasticsearch/7/template.json   |    2 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 1368 ++++++++--------
 generated/elasticsearch/6/template.json       |    2 +-
 generated/elasticsearch/7/template.json       |    2 +-
 version                                       |    2 +-
 11 files changed, 1412 insertions(+), 1412 deletions(-)

diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go
index ceb8cf7d1d..0921192cae 100644
--- a/code/go/ecs/version.go
+++ b/code/go/ecs/version.go
@@ -20,4 +20,4 @@
 package ecs
 
 // Version is the Elastic Common Schema version from which this was generated.
-const Version = "1.7.0-dev"
+const Version = "1.8.0-dev"
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
index 1de0fae653..bb07676dcb 100644
--- a/docs/fields.asciidoc
+++ b/docs/fields.asciidoc
@@ -2,7 +2,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 1.7.0-dev.
+This is the documentation of ECS version 1.8.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index c71023e83a..198abfce07 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -8,7 +8,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 1.7.0-dev.
+This is the documentation of ECS version 1.8.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 35064b122e..bfb0deef1a 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.7.0-dev.
+# based on ECS version 1.8.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 62979dd9b5..ce0f216357 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,720 +1,720 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.7.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.7.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
-1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
-1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.7.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.7.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.7.0-dev,true,container,container.labels,object,extended,,,Image labels.
-1.7.0-dev,true,container,container.name,keyword,extended,,,Container name.
-1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.7.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
-1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
-1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.7.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.7.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
-1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.7.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
-1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.7.0-dev,true,error,error.message,text,core,,,Error message.
-1.7.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-1.7.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.7.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.7.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,file,file.created,date,extended,,,File creation time.
-1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.7.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
-1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
-1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.7.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.7.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
-1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.7.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.7.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
-1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
-1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.7.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.7.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.7.0-dev,true,host,host.type,keyword,core,,,Type of host.
-1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.7.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.7.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.7.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.7.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.7.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
-1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.7.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.7.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.7.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
-1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
-1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name
-1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.7.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.7.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-1.7.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
-1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
-1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.7.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
-1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-1.7.0-dev,true,process,process.title,wildcard,extended,,,Process title.
-1.7.0-dev,true,process,process.title.text,text,extended,,,Process title.
-1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.7.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.7.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.7.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.7.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.7.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
-1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
-1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.7.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.7.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.7.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
-1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
-1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.7.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.7.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.7.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.7.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.7.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
-1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
-1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.7.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.7.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.7.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.7.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-1.7.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,user,user.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
-1.7.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.7.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.7.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.7.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
+1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.8.0-dev,true,client,client.port,long,core,,,Port of the client.
+1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.8.0-dev,true,container,container.labels,object,extended,,,Image labels.
+1.8.0-dev,true,container,container.name,keyword,extended,,,Container name.
+1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.8.0-dev,true,error,error.message,text,core,,,Error message.
+1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.8.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,file,file.created,date,extended,,,File creation time.
+1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
+1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
+1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
+1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name
+1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
+1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
+1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title.
+1.8.0-dev,true,process,process.title.text,text,extended,,,Process title.
+1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
+1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.8.0-dev,true,server,server.port,long,core,,,Port of the server.
+1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
+1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.8.0-dev,true,source,source.port,long,core,,,Port of the source.
+1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 7099fcb8c7..f4fdf59c7c 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.7.0-dev"
+      "version": "1.8.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 807ffd2115..5f83a8e466 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.7.0-dev.
+# based on ECS version 1.8.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index baa380bfb8..a53eaad897 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,685 +1,685 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.7.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.7.0-dev,true,client,client.domain,keyword,core,,,Client domain.
-1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
-1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.7.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-1.7.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
-1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.7.0-dev,true,container,container.labels,object,extended,,,Image labels.
-1.7.0-dev,true,container,container.name,keyword,extended,,,Container name.
-1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.7.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
-1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
-1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-1.7.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
-1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.7.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.7.0-dev,true,error,error.message,text,core,,,Error message.
-1.7.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
-1.7.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.7.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.7.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,file,file.created,date,extended,,,File creation time.
-1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
-1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.7.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.7.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.7.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
-1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.7.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.7.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.7.0-dev,true,host,host.type,keyword,core,,,Type of host.
-1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
-1.7.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
-1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.7.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
-1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
-1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.7.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
-1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.7.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.7.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.7.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
-1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name
-1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.7.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.7.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.7.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-1.7.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
-1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.7.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.7.0-dev,true,process,process.pid,long,core,,4242,Process id.
-1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-1.7.0-dev,true,process,process.title,keyword,extended,,,Process title.
-1.7.0-dev,true,process,process.title.text,text,extended,,,Process title.
-1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.7.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.7.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.7.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.7.0-dev,true,server,server.domain,keyword,core,,,Server domain.
-1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
-1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.7.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-1.7.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
-1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.7.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.7.0-dev,true,source,source.domain,keyword,core,,,Source domain.
-1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.7.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
-1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.7.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-1.7.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
-1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.7.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.7.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.7.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.7.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
-1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.7.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.7.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.7.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
-1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.7.0-dev,true,user,user.email,keyword,extended,,,User email address.
-1.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.7.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.7.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.7.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.7.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.8.0-dev,true,client,client.domain,keyword,core,,,Client domain.
+1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.8.0-dev,true,client,client.port,long,core,,,Port of the client.
+1.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+1.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.8.0-dev,true,container,container.labels,object,extended,,,Image labels.
+1.8.0-dev,true,container,container.name,keyword,extended,,,Container name.
+1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.8.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
+1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+1.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+1.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.8.0-dev,true,error,error.message,text,core,,,Error message.
+1.8.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
+1.8.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,file,file.created,date,extended,,,File creation time.
+1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
+1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+1.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
+1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
+1.8.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.8.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
+1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.8.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
+1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
+1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name
+1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
+1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
+1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.title,keyword,extended,,,Process title.
+1.8.0-dev,true,process,process.title.text,text,extended,,,Process title.
+1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.8.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.8.0-dev,true,server,server.domain,keyword,core,,,Server domain.
+1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.8.0-dev,true,server,server.port,long,core,,,Port of the server.
+1.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+1.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.8.0-dev,true,source,source.domain,keyword,core,,,Source domain.
+1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.8.0-dev,true,source,source.port,long,core,,,Port of the source.
+1.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+1.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+1.8.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
+1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+1.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.email,keyword,extended,,,User email address.
+1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 493159d4b3..ead8e6ee27 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -5,7 +5,7 @@
   "mappings": {
     "_doc": {
       "_meta": {
-        "version": "1.7.0-dev"
+        "version": "1.8.0-dev"
       },
       "date_detection": false,
       "dynamic_templates": [
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index b63f3af1c7..bd5fcd8a20 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.7.0-dev"
+      "version": "1.8.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/version b/version
index de023c91b1..0ef074f2ec 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-1.7.0-dev
+1.8.0-dev

From 1dc6240e3a0c6edc59a4fc0a6ac098ba0d8ae431 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Tue, 6 Oct 2020 15:44:19 -0400
Subject: [PATCH 24/90] Cut 1.7 changelog (#1010) (#1012)

---
 CHANGELOG.md      | 43 +++++++++++++++++++++++++++++++++++++++++++
 CHANGELOG.next.md | 21 ---------------------
 2 files changed, 43 insertions(+), 21 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0b6a774967..27c5171ca3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,49 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.7.0](https://github.com/elastic/ecs/compare/v1.6.0...v1.7.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964
+
+#### Added
+
+* Added Mime Type fields to HTTP request and response. #944
+* Added network directions ingress and egress. #945
+* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
+* Added `configuration` as an allowed `event.category`. #963
+
+#### Improvements
+
+* Expanded field set definitions for `source.*` and `destination.*`. #967
+* Provided better guidance for mapping network events. #969
+* Added the field `.subdomain` under `client`, `destination`, `server`, `source`
+  and `url`, to match its presence at `dns.question.subdomain`. #981
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960
+
+#### Added
+
+* Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
+* Added check under `--strict` that ensures composite types in example fields are quoted. #966
+* Added `ignore_above` and `normalizer` support for keyword multi-fields. #971
+* Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991
+* Added a new directory with experimental artifacts, which includes all changes
+  from RFCs that have reached stage 2. #993
+
+#### Improvements
+
+* Field details Jinja2 template components have been consolidated into one template #897
+* Add `[discrete]` marker before each section header in field details. #989
+
+
 ## [1.6.0](https://github.com/elastic/ecs/compare/v1.5.0...v1.6.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 417377de00..ef52884095 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -14,21 +14,10 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
-* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964
-
 #### Added
 
-* Added Mime Type fields to HTTP request and response. #944
-* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
-* Added `configuration` as an allowed `event.category`. #963
-* Added network directions ingress and egress. #945
-
 #### Improvements
 
-* Expanded field set definitions for `source.*` and `destination.*`. #967
-* Provided better guidance for mapping network events. #969
-* Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981
-
 #### Deprecated
 
 ### Tooling and Artifact Changes
@@ -37,20 +26,10 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
-* Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960
-
 #### Added
 
-* Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
-* Added check under `--strict` that ensures composite types in example fields are quoted. #966
-* Added `ignore_above` and `normalizer` support for keyword multi-fields. #971
-* Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991
-
 #### Improvements
 
-* Field details Jinja2 template components have been consolidated into one template #897
-* Add `[discrete]` marker before each section header in field details. #989
-
 #### Deprecated
 
 

From 501d404fab561f2780e0afc0a5028f9a9780bf00 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 8 Oct 2020 11:35:50 -0400
Subject: [PATCH 25/90] [1.x] Clarify that file extension should exclude the
 dot. (#1016) (#1020)

---
 CHANGELOG.md                                | 1 +
 code/go/ecs/file.go                         | 4 +++-
 docs/field-details.asciidoc                 | 4 +++-
 experimental/generated/beats/fields.ecs.yml | 5 ++++-
 experimental/generated/csv/fields.csv       | 2 +-
 experimental/generated/ecs/ecs_flat.yml     | 7 +++++--
 experimental/generated/ecs/ecs_nested.yml   | 7 +++++--
 generated/beats/fields.ecs.yml              | 5 ++++-
 generated/csv/fields.csv                    | 2 +-
 generated/ecs/ecs_flat.yml                  | 7 +++++--
 generated/ecs/ecs_nested.yml                | 7 +++++--
 schemas/file.yml                            | 7 ++++++-
 12 files changed, 43 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 27c5171ca3..2150e1c38f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file based on the
 #### Bugfixes
 
 * The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964
+* Clarify the definition of `file.extension` (no dots). #1016
 
 #### Added
 
diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go
index 1dc53d28b0..09713b7bf4 100644
--- a/code/go/ecs/file.go
+++ b/code/go/ecs/file.go
@@ -55,7 +55,9 @@ type File struct {
 	// Target path for symlinks.
 	TargetPath string `ecs:"target_path"`
 
-	// File extension.
+	// File extension, excluding the leading dot.
+	// Note that when the file name has multiple extensions (example.tar.gz),
+	// only the last one should be captured ("gz", not "tar.gz").
 	Extension string `ecs:"extension"`
 
 	// File type (file, dir, or symlink).
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 9bd030d0af..f961b6fa89 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -2109,7 +2109,9 @@ example: `C`
 // ===============================================================
 
 | file.extension
-| File extension.
+| File extension, excluding the leading dot.
+
+Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index bfb0deef1a..da99874ab5 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1568,7 +1568,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File extension.
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
     - name: gid
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index ce0f216357..15b7de8404 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -174,7 +174,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
 1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
+1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
 1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 5f27925261..13a7c32325 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -2502,14 +2502,17 @@ file.drive_letter:
   type: keyword
 file.extension:
   dashed_name: file-extension
-  description: File extension.
+  description: 'File extension, excluding the leading dot.
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
   example: png
   flat_name: file.extension
   ignore_above: 1024
   level: extended
   name: extension
   normalize: []
-  short: File extension.
+  short: File extension, excluding the leading dot.
   type: keyword
 file.gid:
   dashed_name: file-gid
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1c40d63dfd..bfb2df366d 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2925,14 +2925,17 @@ file:
       type: keyword
     file.extension:
       dashed_name: file-extension
-      description: File extension.
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
       flat_name: file.extension
       ignore_above: 1024
       level: extended
       name: extension
       normalize: []
-      short: File extension.
+      short: File extension, excluding the leading dot.
       type: keyword
     file.gid:
       dashed_name: file-gid
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 5f83a8e466..e4b1f1bb45 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1604,7 +1604,10 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File extension.
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
     - name: gid
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index a53eaad897..04f8d184ed 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
 1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension.
+1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
 1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 08277b4372..81a1ee4950 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -2544,14 +2544,17 @@ file.drive_letter:
   type: keyword
 file.extension:
   dashed_name: file-extension
-  description: File extension.
+  description: 'File extension, excluding the leading dot.
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
   example: png
   flat_name: file.extension
   ignore_above: 1024
   level: extended
   name: extension
   normalize: []
-  short: File extension.
+  short: File extension, excluding the leading dot.
   type: keyword
 file.gid:
   dashed_name: file-gid
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index b4fecef933..1ca8779d5e 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2968,14 +2968,17 @@ file:
       type: keyword
     file.extension:
       dashed_name: file-extension
-      description: File extension.
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
       flat_name: file.extension
       ignore_above: 1024
       level: extended
       name: extension
       normalize: []
-      short: File extension.
+      short: File extension, excluding the leading dot.
       type: keyword
     file.gid:
       dashed_name: file-gid
diff --git a/schemas/file.yml b/schemas/file.yml
index 4856f22648..545b4661fa 100644
--- a/schemas/file.yml
+++ b/schemas/file.yml
@@ -74,7 +74,12 @@
     - name: extension
       level: extended
       type: keyword
-      description: File extension.
+      short: File extension, excluding the leading dot.
+      description: >
+        File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz),
+        only the last one should be captured ("gz", not "tar.gz").
       example: png
 
     - name: type

From 14141ec850b21888a35b15730bd67263bf543cfe Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 8 Oct 2020 16:01:19 -0500
Subject: [PATCH 26/90] [1.x] Add usage docs section (#988) (#1024)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 CHANGELOG.md                          |  1 +
 Makefile                              |  2 +-
 docs/usage/README.md                  | 40 +++++++++++++++++++++++++++
 scripts/generators/asciidoc_fields.py | 13 ++++++++-
 scripts/generators/ecs_helpers.py     |  9 ++++++
 scripts/templates/field_details.j2    | 13 ++++++++-
 scripts/tests/test_asciidoc_fields.py | 10 +++++++
 7 files changed, 85 insertions(+), 3 deletions(-)
 create mode 100644 docs/usage/README.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2150e1c38f..2ee6329197 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ All notable changes to this project will be documented in this file based on the
 * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937
 * Added check under `--strict` that ensures composite types in example fields are quoted. #966
 * Added `ignore_above` and `normalizer` support for keyword multi-fields. #971
+* Added ability to supply free-form usage documentation per fieldset. #988
 * Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991
 * Added a new directory with experimental artifacts, which includes all changes
   from RFCs that have reached stage 2. #993
diff --git a/Makefile b/Makefile
index 4261504635..07f0442421 100644
--- a/Makefile
+++ b/Makefile
@@ -44,7 +44,7 @@ docs:
 	if [ ! -d $(PWD)/build/docs ]; then \
 		git clone --depth=1 https://github.com/elastic/docs.git ./build/docs ; \
 	fi
-	./build/docs/build_docs --asciidoctor --doc ./docs/index.asciidoc --chunk=1 $(OPEN_DOCS) --out ./build/html_docs
+	./build/docs/build_docs --asciidoctor --doc ./docs/index.asciidoc --chunk=2 $(OPEN_DOCS) --out ./build/html_docs
 
 # Alias to generate experimental artifacts
 .PHONY: experimental
diff --git a/docs/usage/README.md b/docs/usage/README.md
new file mode 100644
index 0000000000..fce7219a2b
--- /dev/null
+++ b/docs/usage/README.md
@@ -0,0 +1,40 @@
+# Usage Docs
+
+ECS fields can benefit from additional context and examples which describe their real-world usage. This directory provides a place in the documentation to capture these usage details. AsciiDoc markdown files can be added for any fieldset defined in ECS.
+
+## Adding a Usage Doc
+
+1. Create an AsciiDoc formatted file with the `.asciidoc` file extension.
+2. Save the file in this directory (`docs/usage`), naming it after its associated field set (e.g. a usage document for the fields defined in `schemas/base.yml` fields would be named `docs/usage/base.asciidoc`).
+3. The anchor at the top of the file (e.g. `[[ecs-base-usage]]`) must use the following convention for valid link references in the generated docs: `[[ecs-<<fieldset-name>>-usage]]`.
+4. Run `make`. The asciidoc generator will generate the ECS field reference, including the present usage docs.
+
+If the filename doesn't match a currently defined fieldset, the usage document will not appear on the ECS docs site. This logic is handled in the AsciiDoc generator scripts, `scripts/generators/asciidoc_fields.py`.
+
+## Template
+
+The following is a simple AsciiDoc template as a starting point:
+
+```asciidoc
+
+[[ecs-fieldset-usage]]
+==== Fieldset Usage
+
+Add relevant text here.
+
+[discrete]
+===== New Section header
+
+Text for the new section.
+
+[discrete]
+===== Examples
+
+[source,sh]
+-----------
+{
+    "key": "value"
+}
+-----------
+
+```
diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py
index 2aa6f4a8cd..e5e2262bd0 100644
--- a/scripts/generators/asciidoc_fields.py
+++ b/scripts/generators/asciidoc_fields.py
@@ -72,6 +72,15 @@ def sort_fields(fieldset):
     return sorted(fields_list, key=lambda field: field['name'])
 
 
+def check_for_usage_doc(fieldset_name, usage_file_list=ecs_helpers.usage_doc_files()):
+    """Checks if a usage doc exists for the specified
+       fieldset.
+
+    :param fieldset_name: The name of the target fieldset
+    """
+    return f"{fieldset_name}.asciidoc" in usage_file_list
+
+
 def templated(template_name):
     """Decorator function to simplify rendering a template.
 
@@ -138,10 +147,12 @@ def generate_field_details_page(fieldset):
     sorted_reuse_fields = render_fieldset_reuse_text(fieldset)
     render_nestings_reuse_fields = render_nestings_reuse_section(fieldset)
     sorted_fields = sort_fields(fieldset)
+    usage_doc = check_for_usage_doc(fieldset.get('name'))
     return dict(fieldset=fieldset,
                 sorted_reuse_fields=sorted_reuse_fields,
                 render_nestings_reuse_section=render_nestings_reuse_fields,
-                sorted_fields=sorted_fields)
+                sorted_fields=sorted_fields,
+                usage_doc=usage_doc)
 
 
 # Allowed values section
diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py
index 275c0569ac..2da446f3e3 100644
--- a/scripts/generators/ecs_helpers.py
+++ b/scripts/generators/ecs_helpers.py
@@ -2,6 +2,7 @@
 import os
 import yaml
 import git
+import pathlib
 import warnings
 
 from collections import OrderedDict
@@ -113,6 +114,14 @@ def get_tree_by_ref(ref):
     return commit.tree
 
 
+def usage_doc_files():
+    usage_docs_dir = os.path.join(os.path.dirname(__file__), '../../docs/usage')
+    usage_docs_path = pathlib.Path(usage_docs_dir)
+    if usage_docs_path.is_dir():
+        return [x.name for x in usage_docs_path.glob('*.asciidoc') if x.is_file()]
+    return []
+
+
 def ecs_files():
     """Return the schema file list to load"""
     schema_glob = os.path.join(os.path.dirname(__file__), '../../schemas/*.yml')
diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2
index 1ceedf55e0..3eef363fa8 100644
--- a/scripts/templates/field_details.j2
+++ b/scripts/templates/field_details.j2
@@ -4,6 +4,12 @@
 
 {{ fieldset['description']|replace("\n", "\n\n") }}
 
+{%- if usage_doc %}
+
+Find additional usage and examples in the {{ fieldset['name'] }} fields <<ecs-{{ fieldset['name']|replace("_", "-") }}-usage,usage>> section.
+
+{% endif %}
+
 {# Field Details Table Header -#}
 [discrete]
 ==== {{ fieldset['title'] }} Field Details
@@ -113,4 +119,9 @@ Note also that the `{{ fieldset['name'] }}` fields are not expected to be used d
 |=====
 
 {% endif %}{# if 'nestings' #}
-{%- endif %}{# if 'nestings' or 'reusable' in fieldset #}
+{%- endif -%}{# if 'nestings' or 'reusable' in fieldset #}
+{%- if usage_doc %}
+
+include::usage/{{ fieldset['name'] }}.asciidoc[]
+
+{% endif %}
diff --git a/scripts/tests/test_asciidoc_fields.py b/scripts/tests/test_asciidoc_fields.py
index 1a099a9958..2fbec15e84 100644
--- a/scripts/tests/test_asciidoc_fields.py
+++ b/scripts/tests/test_asciidoc_fields.py
@@ -127,6 +127,16 @@ def test_rendering_fieldset_nesting(self):
         self.assertEqual('as', foo_nesting_fields[0]['name'])
         self.assertEqual('Fields describing an AS', foo_nesting_fields[0]['short'])
 
+    def test_check_for_usage_doc_true(self):
+        usage_files = ["foo.asciidoc"]
+        foo_name = self.foo_fieldset.get('name')
+        self.assertTrue(asciidoc_fields.check_for_usage_doc(foo_name, usage_file_list=usage_files))
+
+    def test_check_for_usage_doc_false(self):
+        usage_files = ["notfoo.asciidoc"]
+        foo_name = self.foo_fieldset.get('name')
+        self.assertFalse(asciidoc_fields.check_for_usage_doc(foo_name, usage_file_list=usage_files))
+
 
 if __name__ == '__main__':
     unittest.main()

From 35764fa143d9fd4c840e3332b716c484a39ac313 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 16 Oct 2020 18:01:37 -0500
Subject: [PATCH 27/90] [1.x] feat: include alias path when generating template
 (#877) (#1035)

Co-authored-by: Richard Gomez <32133502+rgmz@users.noreply.github.com>
---
 CHANGELOG.next.md                         |  2 ++
 schemas/README.md                         | 12 ++++++++++++
 scripts/generators/beats.py               |  2 +-
 scripts/generators/es_template.py         |  2 ++
 scripts/schema/cleaner.py                 |  6 ++++++
 scripts/tests/test_es_template.py         | 13 +++++++++++++
 scripts/tests/unit/test_schema_cleaner.py |  7 +++++++
 7 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index ef52884095..0df635da67 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -28,6 +28,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
+
 #### Improvements
 
 #### Deprecated
diff --git a/schemas/README.md b/schemas/README.md
index c87be195a3..88440c0354 100644
--- a/schemas/README.md
+++ b/schemas/README.md
@@ -151,6 +151,18 @@ Supported keys to describe expected values for a field
   Optionally, entries in this list can specify 'expected\_event\_types'.
 - expected\_event\_types: list of expected "event.type" values to use in association
   with that category.
+  
+Supported keys when using the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html)
+
+```YAML
+    - name: a_field
+      level: extended
+      type: alias
+      path: another_field
+      description: >
+        An alias of another field.
+```
+- path (optional): The full path to the [aliases' target field](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html#alias-targets).
 
 #### Multi\_fields
 
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index f305261407..457fecc5ec 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -34,7 +34,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix):
     allowed_keys = ['name', 'level', 'required', 'type', 'object_type',
                     'ignore_above', 'multi_fields', 'format', 'input_format',
                     'output_format', 'output_precision', 'description',
-                    'example', 'enabled', 'index']
+                    'example', 'enabled', 'index', 'path']
     multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field', 'normalizer', 'ignore_above']
 
     fields = []
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 5bf264a784..08e925f0ae 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -59,6 +59,8 @@ def entry_for(field):
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['ignore_above'])
         elif field['type'] == 'text':
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['norms'])
+        elif field['type'] == 'alias':
+            ecs_helpers.dict_copy_existing_keys(field, field_entry, ['path'])
 
         if 'multi_fields' in field:
             field_entry['fields'] = {}
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index 5f15d459fe..fa5838cbb7 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -158,6 +158,12 @@ def field_mandatory_attributes(field):
         return
     current_field_attributes = sorted(field['field_details'].keys())
     missing_attributes = ecs_helpers.list_subtract(FIELD_MANDATORY_ATTRIBUTES, current_field_attributes)
+
+    # The `alias` type requires a target path.
+    # https://github.com/elastic/ecs/issues/876
+    if field['field_details'].get('type') == 'alias' and 'path' not in current_field_attributes:
+        missing_attributes.append('path')
+
     if len(missing_attributes) > 0:
         msg = "Field is missing the following mandatory attributes: {}.\nFound these: {}.\nField details: {}"
         raise ValueError(msg.format(', '.join(missing_attributes),
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index 9ff4c30306..9136f8b99e 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -109,6 +109,19 @@ def test_entry_for_index(self):
         }
         self.assertEqual(es_template.entry_for(test_map), exp)
 
+    def test_entry_for_alias(self):
+        test_map = {
+            'name': 'test.alias',
+            'type': 'alias',
+            'path': 'alias.target'
+        }
+
+        exp = {
+            'type': 'alias',
+            'path': 'alias.target'
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py
index 8298a32bb3..ba86728e2d 100644
--- a/scripts/tests/unit/test_schema_cleaner.py
+++ b/scripts/tests/unit/test_schema_cleaner.py
@@ -157,6 +157,13 @@ def test_field_raises_on_missing_required_attributes(self):
                                         "mandatory attributes: {}".format(missing_attribute)):
                 cleaner.field_mandatory_attributes(field)
 
+    def test_field_raises_on_alias_missing_path_attribute(self):
+        field = self.schema_process()['process']['fields']['pid']
+        field['field_details']['type'] = "alias"
+        with self.assertRaisesRegex(ValueError,
+                                    "mandatory attributes: {}".format("path")):
+            cleaner.field_mandatory_attributes(field)
+
     def test_field_simple_cleanup(self):
         my_field = {
             'field_details': {

From a173cda2e3ecb19963974c5c1ab4d23062e6eaaa Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 28 Oct 2020 12:12:58 -0500
Subject: [PATCH 28/90] [1.x] Add support for `scaling_factor` in the generator
 (#1042) (#1055)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 CHANGELOG.next.md                         |  1 +
 scripts/generators/beats.py               |  2 +-
 scripts/generators/es_template.py         |  2 ++
 scripts/schema/cleaner.py                 |  6 ++++--
 scripts/tests/test_es_template.py         | 13 +++++++++++++
 scripts/tests/unit/test_schema_cleaner.py |  7 +++++++
 6 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 0df635da67..2d4e349ec7 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -29,6 +29,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
+* Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
 
 #### Improvements
 
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index 457fecc5ec..0d182b40db 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -34,7 +34,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix):
     allowed_keys = ['name', 'level', 'required', 'type', 'object_type',
                     'ignore_above', 'multi_fields', 'format', 'input_format',
                     'output_format', 'output_precision', 'description',
-                    'example', 'enabled', 'index', 'path']
+                    'example', 'enabled', 'index', 'path', 'scaling_factor']
     multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field', 'normalizer', 'ignore_above']
 
     fields = []
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 08e925f0ae..9fed37ee05 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -61,6 +61,8 @@ def entry_for(field):
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['norms'])
         elif field['type'] == 'alias':
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['path'])
+        elif field['type'] == 'scaled_float':
+            ecs_helpers.dict_copy_existing_keys(field, field_entry, ['scaling_factor'])
 
         if 'multi_fields' in field:
             field_entry['fields'] = {}
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index fa5838cbb7..ab3acfcaeb 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -159,10 +159,12 @@ def field_mandatory_attributes(field):
     current_field_attributes = sorted(field['field_details'].keys())
     missing_attributes = ecs_helpers.list_subtract(FIELD_MANDATORY_ATTRIBUTES, current_field_attributes)
 
-    # The `alias` type requires a target path.
-    # https://github.com/elastic/ecs/issues/876
+    # `alias` fields require a target `path` attribute.
     if field['field_details'].get('type') == 'alias' and 'path' not in current_field_attributes:
         missing_attributes.append('path')
+    # `scaled_float` fields require a `scaling_factor` attribute.
+    if field['field_details'].get('type') == 'scaled_float' and 'scaling_factor' not in current_field_attributes:
+        missing_attributes.append('scaling_factor')
 
     if len(missing_attributes) > 0:
         msg = "Field is missing the following mandatory attributes: {}.\nFound these: {}.\nField details: {}"
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index 9136f8b99e..a1491d2241 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -122,6 +122,19 @@ def test_entry_for_alias(self):
         }
         self.assertEqual(es_template.entry_for(test_map), exp)
 
+    def test_entry_for_scaled_float(self):
+        test_map = {
+            'name': 'test.scaled_float',
+            'type': 'scaled_float',
+            'scaling_factor': 1000
+        }
+
+        exp = {
+            'type': 'scaled_float',
+            'scaling_factor': 1000
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py
index ba86728e2d..13f78c4e91 100644
--- a/scripts/tests/unit/test_schema_cleaner.py
+++ b/scripts/tests/unit/test_schema_cleaner.py
@@ -164,6 +164,13 @@ def test_field_raises_on_alias_missing_path_attribute(self):
                                     "mandatory attributes: {}".format("path")):
             cleaner.field_mandatory_attributes(field)
 
+    def test_raises_on_missing_scaling_factor(self):
+        field = self.schema_process()['process']['fields']['pid']
+        field['field_details']['type'] = "scaled_float"
+        with self.assertRaisesRegex(ValueError,
+                                    "mandatory attributes: {}".format("scaling_factor")):
+            cleaner.field_mandatory_attributes(field)
+
     def test_field_simple_cleanup(self):
         my_field = {
             'field_details': {

From 5afd0a586f6421b6c59626fd99ee110f0e8687e2 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 28 Oct 2020 12:37:49 -0500
Subject: [PATCH 29/90] [1.x] Add fallback for constant_keyword (#1046) (#1056)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 CHANGELOG.next.md                     |  1 +
 scripts/schema/oss.py                 |  6 ++++--
 scripts/tests/unit/test_schema_oss.py | 11 ++++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2d4e349ec7..4cbd2bb895 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -30,6 +30,7 @@ Thanks, you're awesome :-) -->
 
 * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
 * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
+* Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046
 
 #### Improvements
 
diff --git a/scripts/schema/oss.py b/scripts/schema/oss.py
index ba38a254b1..bfc07bb071 100644
--- a/scripts/schema/oss.py
+++ b/scripts/schema/oss.py
@@ -13,6 +13,7 @@
 from schema import visitor
 
 TYPE_FALLBACKS = {
+    'constant_keyword': 'keyword',
     'wildcard': 'keyword',
     'version': 'keyword'
 }
@@ -25,5 +26,6 @@ def fallback(fields):
 
 def perform_fallback(field):
     """Performs a best effort fallback of basic data types to equivalent OSS data types."""
-    if field['field_details']['type'] in TYPE_FALLBACKS.keys():
-        field['field_details']['type'] = TYPE_FALLBACKS[field['field_details']['type']]
+    fallback_type = TYPE_FALLBACKS.get(field['field_details']['type'])
+    if fallback_type:
+        field['field_details']['type'] = fallback_type
diff --git a/scripts/tests/unit/test_schema_oss.py b/scripts/tests/unit/test_schema_oss.py
index 4ac08d9d08..910b7959ca 100644
--- a/scripts/tests/unit/test_schema_oss.py
+++ b/scripts/tests/unit/test_schema_oss.py
@@ -14,6 +14,8 @@ class TestSchemaOss(unittest.TestCase):
     def setUp(self):
         self.maxDiff = None
 
+    # Fallbacks
+
     def test_wildcard_fallback(self):
         field = {'field_details': {'name': 'myfield', 'type': 'wildcard'}}
         oss.perform_fallback(field)
@@ -24,12 +26,19 @@ def test_version_fallback(self):
         oss.perform_fallback(field)
         self.assertEqual('keyword', field['field_details']['type'])
 
+    def test_constant_keyword_fallback(self):
+        field = {'field_details': {'name': 'myfield', 'type': 'constant_keyword'}}
+        oss.perform_fallback(field)
+        self.assertEqual('keyword', field['field_details']['type'])
+
+    # Not falling back
+
     def test_basic_without_fallback(self):
         field = {'field_details': {'name': 'myfield', 'type': 'histogram'}}
         oss.perform_fallback(field)
         self.assertEqual('histogram', field['field_details']['type'])
 
-    def test_oss_no_fallback(self):
+    def test_oss_no_fallback_needed(self):
         field = {'field_details': {'name': 'myfield', 'type': 'keyword'}}
         oss.perform_fallback(field)
         self.assertEqual('keyword', field['field_details']['type'])

From 7ef838baa1507e612754f0d45730382f9fbe9dd8 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 28 Oct 2020 12:51:40 -0500
Subject: [PATCH 30/90] [1.x] Add wildcard type support to go code generator
 (#1050) (#1057)

* add wildcard type support

* also add version and constant_keyword

* changelog
---
 CHANGELOG.next.md                  | 1 +
 scripts/cmd/gocodegen/gocodegen.go | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 4cbd2bb895..78dad60ec5 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -31,6 +31,7 @@ Thanks, you're awesome :-) -->
 * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
 * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
 * Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046
+* Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
 
 #### Improvements
 
diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go
index c202691ce0..8fff5ed5d9 100644
--- a/scripts/cmd/gocodegen/gocodegen.go
+++ b/scripts/cmd/gocodegen/gocodegen.go
@@ -274,7 +274,7 @@ func goDataType(fieldName, elasticsearchDataType string) string {
 	}
 
 	switch elasticsearchDataType {
-	case "keyword", "text", "ip", "geo_point":
+	case "keyword", "wildcard", "version", "constant_keyword", "text", "ip", "geo_point":
 		return "string"
 	case "long":
 		return "int64"

From a28ee14cb1b56fd1310dd1b9da511a6065bc831a Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 29 Oct 2020 12:41:14 -0400
Subject: [PATCH 31/90] [1.x] New default make task that generates main and
 experimental artifacts. (#1041) (#1060)

Also changing the order of the 'generate' task: it now starts with the new generator, then runs the legacy scripts.
---
 Makefile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 07f0442421..67ee219d8a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 #
 # Variables
 #
-.DEFAULT_GOAL    := generate
+.DEFAULT_GOAL    := all
 FIND             := find . -type f -not -path './build/*' -not -path './.git/*'
 FORCE_GO_MODULES := GO111MODULE=on
 OPEN_DOCS        ?= "--open"
@@ -12,6 +12,10 @@ VERSION          := $(shell cat version)
 # Targets (sorted alphabetically)
 #
 
+# Default build generates main and experimental artifacts
+.PHONY: all
+all: generate experimental
+
 # Check verifies that all of the committed files that are generated are
 # up-to-date.
 .PHONY: check
@@ -60,7 +64,7 @@ fmt: ve
 
 # Alias to generate everything.
 .PHONY: generate
-generate: legacy_use_cases codegen generator
+generate: generator legacy_use_cases codegen
 	$(PYTHON) --version
 
 # Run the new generator

From 52de713ad586938d110ca49cb41c1d3579eabd02 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 2 Nov 2020 13:02:04 -0500
Subject: [PATCH 32/90] [1.x] Change the index pattern in the sample template.
 (#1048) (#1068)

---
 CHANGELOG.md                                  |  5 +++
 .../generated/elasticsearch/7/template.json   |  2 +-
 generated/elasticsearch/6/template.json       |  2 +-
 generated/elasticsearch/7/template.json       |  2 +-
 generated/elasticsearch/README.md             | 41 ++++++++++++++-----
 scripts/generators/es_template.py             |  2 +-
 6 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2ee6329197..a1927875df 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,11 @@ All notable changes to this project will be documented in this file based on the
 
 ### Tooling and Artifact Changes
 
+#### Breaking changes
+
+* Changed the index pattern of the sample Elasticsearch template from `ecs-*` to
+  `try-ecs-*` to avoid conflicting with Logstash' `ecs-logstash-*`. #1048
+
 #### Bugfixes
 
 * Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index f4fdf59c7c..a75360b36d 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1,6 +1,6 @@
 {
   "index_patterns": [
-    "ecs-*"
+    "try-ecs-*"
   ],
   "mappings": {
     "_meta": {
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index ead8e6ee27..1392c740e3 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1,6 +1,6 @@
 {
   "index_patterns": [
-    "ecs-*"
+    "try-ecs-*"
   ],
   "mappings": {
     "_doc": {
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index bd5fcd8a20..fe43b9ed19 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1,6 +1,6 @@
 {
   "index_patterns": [
-    "ecs-*"
+    "try-ecs-*"
   ],
   "mappings": {
     "_meta": {
diff --git a/generated/elasticsearch/README.md b/generated/elasticsearch/README.md
index 062afac1f9..40579d141c 100644
--- a/generated/elasticsearch/README.md
+++ b/generated/elasticsearch/README.md
@@ -3,33 +3,52 @@
 Crafting the perfect Elasticsearch template is an art. But here's a good starting
 point for experimentation.
 
+When you're ready to customize this template to the precise needs of your use case,
+please check out [USAGE.md](../../USAGE.md).
+
+## Notes on index naming
+
+This sample Elasticsearch template will apply to any index named `try-ecs-*`.
+This is good for experimentation.
+
+Note that an index following ECS can be named however you need. There's no requirement
+to have "ecs" in the index name.
+
 ## Instructions
 
-Load the template from your shell
+If you want to play with a specific version of ECS, check out the proper branch first.
+
+```
+git checkout 1.6
+```
+
+Load the template in Elasticsearch from your shell.
 
 ```bash
 # Elasticsearch 7
-curl -XPOST 'localhost:9200/_template/ecs-test' --header "Content-Type: application/json" \
+curl -XPOST 'localhost:9200/_template/try-ecs' \
+  --header "Content-Type: application/json" \
   -d @'generated/elasticsearch/7/template.json'
 
 # or Elasticsearch 6
-curl -XPOST 'localhost:9200/_template/ecs-test' --header "Content-Type: application/json" \
+curl -XPOST 'localhost:9200/_template/try-ecs' \
+  --header "Content-Type: application/json" \
   -d @'generated/elasticsearch/6/template.json'
 ```
 
 Play from Kibana Dev Tools
 
 ```
-# 👀
-GET _template/ecs-test
+# Look at the template you just uploaded 👀
+GET _template/try-ecs
 
-# index
-PUT ecs-test
-GET ecs-test
-POST ecs-test/_doc
-{ "@timestamp": "2019-02-26T22:38:39.000Z", "message": "Hello ECS World", "host": { "ip": "10.42.42.42"} }
+# index a document
+PUT try-ecs-test
+GET try-ecs-test
+POST try-ecs-test/_doc
+{ "@timestamp": "2020-10-26T22:38:39.000Z", "message": "Hello ECS World", "host": { "ip": "10.42.42.42"} }
 
 # enjoy
-GET ecs-test/_search
+GET try-ecs-test/_search
 { "query": { "term": { "host.ip": "10.0.0.0/8" } } }
 ```
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 9fed37ee05..13498cef9d 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -109,7 +109,7 @@ def save_json(file, data):
 
 def default_template_settings():
     return {
-        "index_patterns": ["ecs-*"],
+        "index_patterns": ["try-ecs-*"],
         "order": 1,
         "settings": {
             "index": {

From 1703ac8711f14295b1acb576184faad2dfdb1f3d Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 4 Nov 2020 15:20:09 -0500
Subject: [PATCH 33/90] [1.x] Prepare link to Logs docs changing with the 7.10
 release in "getting-started" (#1073) (#1079)

Co-authored-by: EamonnTP <Eamonn.Smith@elastic.co>
---
 docs/using-getting-started.asciidoc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/using-getting-started.asciidoc b/docs/using-getting-started.asciidoc
index 8e322d7428..c81521a783 100644
--- a/docs/using-getting-started.asciidoc
+++ b/docs/using-getting-started.asciidoc
@@ -285,5 +285,10 @@ Here are some examples of additional fields processed by metadata or parser proc
 We've covered at a high level how to map your events to ECS. Now if you'd like your events to render well in the Elastic
 solutions, check out the reference guides below to learn more about each:
 
-* {logs-guide}/logs-fields-reference.html[Logs Monitoring Field Reference]
+ifeval::["{branch}"=="7.9"]
+* {logs-guide}/logs-fields-reference.html[Log Monitoring Field Reference]
+endif::[]
+ifeval::["{branch}"!="7.9"]
+* {observability-guide}/logs-app-fields.html[Log Monitoring Field Reference]
+endif::[]
 * {security-guide}/siem-field-reference.html[Elastic Security Field Reference]

From 7bad0b05ba160af02874651c0a94c7bdcefdc06f Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 4 Nov 2020 15:21:08 -0500
Subject: [PATCH 34/90] [1.x] Prepare link to Logs docs changing with the 7.10
 release in "products-solutions" page (#1074) (#1083)

Co-authored-by: EamonnTP <Eamonn.Smith@elastic.co>
---
 docs/products-solutions.asciidoc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc
index a8fca573cd..945653779f 100644
--- a/docs/products-solutions.asciidoc
+++ b/docs/products-solutions.asciidoc
@@ -9,10 +9,14 @@ The following Elastic products support ECS out of the box, as of version 7.0:
 ** {security-guide}/siem-field-reference.html[Elastic Security Field Reference] - a list of ECS fields used in the SIEM app
 * https://www.elastic.co/products/endpoint-security[Elastic Endpoint Security
 Server]
-* {logs-guide}/logs-app-overview.html[Logs Monitoring]
+ifeval::["{branch}"=="7.9"]
+* {logs-guide}/logs-app-overview.html[Log Monitoring]
+endif::[]
+ifeval::["{branch}"!="7.9"]
+* {observability-guide}/monitor-logs.html[Log Monitoring]
+endif::[]
 * Log formatters that support ECS out of the box for various languages can be found
   https://github.com/elastic/ecs-logging/blob/master/README.md[here].
 
 // TODO Insert community & partner solutions here
 
-

From b4bbe72d5a3c06b25e2764a31f0df7d5aac9cb94 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 4 Nov 2020 15:58:23 -0600
Subject: [PATCH 35/90] [1.x] Add event.category session. (#1049) (#1093)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 CHANGELOG.next.md                         |  2 ++
 docs/field-details.asciidoc               |  2 +-
 docs/field-values.asciidoc                | 13 +++++++++++++
 experimental/generated/ecs/ecs_flat.yml   | 10 ++++++++++
 experimental/generated/ecs/ecs_nested.yml | 10 ++++++++++
 generated/ecs/ecs_flat.yml                | 10 ++++++++++
 generated/ecs/ecs_nested.yml              | 10 ++++++++++
 schemas/event.yml                         |  9 +++++++++
 8 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 78dad60ec5..099d9a5037 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,6 +10,8 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
+* Added `event.category` "session". #1049
+
 #### Breaking changes
 
 #### Bugfixes
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index f961b6fa89..a89a0bf6e1 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -1597,7 +1597,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web
+authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 1ef4b8e072..653b031cc2 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -144,6 +144,7 @@ that will require subsequent breaking changes.
 * <<ecs-event-category-network,network>>
 * <<ecs-event-category-package,package>>
 * <<ecs-event-category-process,process>>
+* <<ecs-event-category-session,session>>
 * <<ecs-event-category-web,web>>
 
 [float]
@@ -298,6 +299,18 @@ Use this category of events to visualize and analyze process-specific informatio
 access, change, end, info, start
 
 
+[float]
+[[ecs-event-category-session]]
+==== session
+
+The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+
+
+*Expected event types for category session:*
+
+start, end, info
+
+
 [float]
 [[ecs-event-category-web]]
 ==== web
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 13a7c32325..28898f42e2 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1774,6 +1774,16 @@ event.category:
     - info
     - start
     name: process
+  - description: The session category is applied to events and metrics regarding logical
+      persistent connections to hosts and services. Use this category to visualize
+      and analyze interactive or automated persistent connections between assets.
+      Data for this category may come from Windows Event logs, SSH logs, or stateless
+      sessions such as HTTP cookie-based sessions, etc.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: session
   - description: 'Relating to web server access. Use this category to create a dashboard
       of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
       events from network observers such as Zeek http log may also be included in
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index bfb2df366d..f17cc20d19 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2168,6 +2168,16 @@ event:
         - info
         - start
         name: process
+      - description: The session category is applied to events and metrics regarding
+          logical persistent connections to hosts and services. Use this category
+          to visualize and analyze interactive or automated persistent connections
+          between assets. Data for this category may come from Windows Event logs,
+          SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: session
       - description: 'Relating to web server access. Use this category to create a
           dashboard of web server/proxy activity from apache, IIS, nginx web servers,
           etc. Note: events from network observers such as Zeek http log may also
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 81a1ee4950..d085df9e87 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1814,6 +1814,16 @@ event.category:
     - info
     - start
     name: process
+  - description: The session category is applied to events and metrics regarding logical
+      persistent connections to hosts and services. Use this category to visualize
+      and analyze interactive or automated persistent connections between assets.
+      Data for this category may come from Windows Event logs, SSH logs, or stateless
+      sessions such as HTTP cookie-based sessions, etc.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: session
   - description: 'Relating to web server access. Use this category to create a dashboard
       of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
       events from network observers such as Zeek http log may also be included in
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 1ca8779d5e..3bb3ce663b 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2209,6 +2209,16 @@ event:
         - info
         - start
         name: process
+      - description: The session category is applied to events and metrics regarding
+          logical persistent connections to hosts and services. Use this category
+          to visualize and analyze interactive or automated persistent connections
+          between assets. Data for this category may come from Windows Event logs,
+          SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: session
       - description: 'Relating to web server access. Use this category to create a
           dashboard of web server/proxy activity from apache, IIS, nginx web servers,
           etc. Note: events from network observers such as Zeek http log may also
diff --git a/schemas/event.yml b/schemas/event.yml
index 6778790784..b4add99818 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -277,6 +277,15 @@
             - end
             - info
             - start
+        - name: session
+          description: >
+            The session category is applied to events and metrics regarding logical persistent connections to hosts and services.
+            Use this category to visualize and analyze interactive or automated persistent connections between assets.
+            Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+          expected_event_types:
+            - start
+            - end
+            - info
         - name: web
           description: >
             Relating to web server access. Use this category to create a dashboard of

From 46210a5b8c484ba28386047a7b6199898e929b15 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 4 Nov 2020 16:12:37 -0600
Subject: [PATCH 36/90] [1.x] Add event.category registry (#1040) (#1094)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 CHANGELOG.next.md                         |  5 +++--
 docs/field-details.asciidoc               |  2 +-
 docs/field-values.asciidoc                | 13 +++++++++++++
 experimental/generated/ecs/ecs_flat.yml   |  9 +++++++++
 experimental/generated/ecs/ecs_nested.yml |  9 +++++++++
 generated/ecs/ecs_flat.yml                |  9 +++++++++
 generated/ecs/ecs_nested.yml              |  9 +++++++++
 schemas/event.yml                         |  9 +++++++++
 8 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 099d9a5037..bfd5ff6cc4 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,14 +10,15 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
-* Added `event.category` "session". #1049
-
 #### Breaking changes
 
 #### Bugfixes
 
 #### Added
 
+* Added `event.category` "registry". #1040
+* Added `event.category` "session". #1049
+
 #### Improvements
 
 #### Deprecated
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index a89a0bf6e1..ddcb587a24 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -1597,7 +1597,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web
+authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 653b031cc2..6f3adc1c26 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -144,6 +144,7 @@ that will require subsequent breaking changes.
 * <<ecs-event-category-network,network>>
 * <<ecs-event-category-package,package>>
 * <<ecs-event-category-process,process>>
+* <<ecs-event-category-registry,registry>>
 * <<ecs-event-category-session,session>>
 * <<ecs-event-category-web,web>>
 
@@ -299,6 +300,18 @@ Use this category of events to visualize and analyze process-specific informatio
 access, change, end, info, start
 
 
+[float]
+[[ecs-event-category-registry]]
+==== registry
+
+Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.
+
+
+*Expected event types for category registry:*
+
+access, change, creation, deletion
+
+
 [float]
 [[ecs-event-category-session]]
 ==== session
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 28898f42e2..b07d2ba201 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1774,6 +1774,15 @@ event.category:
     - info
     - start
     name: process
+  - description: Having to do with settings and assets stored in the Windows registry.
+      Use this category to visualize and analyze activity such as registry access
+      and modifications.
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    name: registry
   - description: The session category is applied to events and metrics regarding logical
       persistent connections to hosts and services. Use this category to visualize
       and analyze interactive or automated persistent connections between assets.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f17cc20d19..ebd19083ed 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2168,6 +2168,15 @@ event:
         - info
         - start
         name: process
+      - description: Having to do with settings and assets stored in the Windows registry.
+          Use this category to visualize and analyze activity such as registry access
+          and modifications.
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        name: registry
       - description: The session category is applied to events and metrics regarding
           logical persistent connections to hosts and services. Use this category
           to visualize and analyze interactive or automated persistent connections
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index d085df9e87..9447fa982b 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1814,6 +1814,15 @@ event.category:
     - info
     - start
     name: process
+  - description: Having to do with settings and assets stored in the Windows registry.
+      Use this category to visualize and analyze activity such as registry access
+      and modifications.
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    name: registry
   - description: The session category is applied to events and metrics regarding logical
       persistent connections to hosts and services. Use this category to visualize
       and analyze interactive or automated persistent connections between assets.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 3bb3ce663b..ca9424eaed 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2209,6 +2209,15 @@ event:
         - info
         - start
         name: process
+      - description: Having to do with settings and assets stored in the Windows registry.
+          Use this category to visualize and analyze activity such as registry access
+          and modifications.
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        name: registry
       - description: The session category is applied to events and metrics regarding
           logical persistent connections to hosts and services. Use this category
           to visualize and analyze interactive or automated persistent connections
diff --git a/schemas/event.yml b/schemas/event.yml
index b4add99818..45128fcf4a 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -277,6 +277,15 @@
             - end
             - info
             - start
+        - name: registry
+          description: >
+            Having to do with settings and assets stored in the Windows registry.
+            Use this category to visualize and analyze activity such as registry access and modifications.
+          expected_event_types:
+            - access
+            - change
+            - creation
+            - deletion
         - name: session
           description: >
             The session category is applied to events and metrics regarding logical persistent connections to hosts and services.

From 1c457b56c6d8fd14b03168b5dae9261da80c8d0b Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 10 Nov 2020 09:15:51 -0600
Subject: [PATCH 37/90] [1.x] Add --ref support for experimental artifacts
 (#1063) (#1101)

Co-authored-by: Mathieu Martin <webmat@gmail.com>
---
 CHANGELOG.md                             |  1 +
 USAGE.md                                 | 18 +++++++-
 scripts/generator.py                     |  3 +-
 scripts/generators/ecs_helpers.py        |  8 ++++
 scripts/schema/loader.py                 | 26 +++++++++---
 scripts/tests/test_ecs_helpers.py        |  8 ++++
 scripts/tests/unit/test_schema_loader.py | 52 ++++++++++++++++++++++++
 7 files changed, 108 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a1927875df..23f6728c36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -51,6 +51,7 @@ All notable changes to this project will be documented in this file based on the
 
 * Field details Jinja2 template components have been consolidated into one template #897
 * Add `[discrete]` marker before each section header in field details. #989
+* `--ref` now loads `experimental/schemas` based on git ref in addition to `schemas`. #1063
 
 
 ## [1.6.0](https://github.com/elastic/ecs/compare/v1.5.0...v1.6.0)
diff --git a/USAGE.md b/USAGE.md
index cb0c49bf27..aadf24b526 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -188,6 +188,8 @@ And looking at a specific artifact, `../myprojects/out/generated/elasticsearch/7
 ...
 ```
 
+Include can be used together with the `--ref` flag to merge custom fields into a targeted ECS version. See [`Ref`](#ref).
+
 > NOTE: The `--include` mechanism will not validate custom YAML files prior to merging. This allows for modifying existing ECS fields in a custom schema without having to redefine all the mandatory field attributes.
 
 #### Subset
@@ -235,12 +237,26 @@ It's also possible to combine `--include` and `--subset` together! Do note that
 
 #### Ref
 
-The `--ref` argument allows for passing a specific `git` tag (e.g. `v.1.5.0`) or commit hash (`1454f8b`) that will be used to build ECS artifacts.
+The `--ref` argument allows for passing a specific `git` tag (e.g. `v1.5.0`) or commit hash (`1454f8b`) that will be used to build ECS artifacts.
 
 ```
 $ python scripts/generator.py --ref v1.5.0
 ```
 
+The `--ref` argument loads field definitions from the specified git reference (branch, tag, etc.) from directories [`./schemas`](./schemas) and [`./experimental/schemas`](./experimental/schemas) (when specified via `--include`).
+
+Here's another example loading both ECS fields and [experimental](experimental/README.md) changes *from branch "1.7"*, then adds custom fields on top.
+
+```
+$ python scripts/generator.py --ref 1.7 --include experimental/schemas ../myproject/fields/custom --out ../myproject/out
+```
+
+The command above will produce artifacts based on:
+
+* main ECS field definitions as of branch 1.7
+* experimental ECS changes as of branch 1.7
+* custom fields in `../myproject/fields/custom` as they are on the filesystem
+
 > Note: `--ref` does have a dependency on `git` being installed and all expected commits/tags fetched from the ECS upstream repo. This will unlikely be an issue unless you downloaded the ECS as a zip archive from GitHub vs. cloning it.
 
 #### Mapping & Template Settings
diff --git a/scripts/generator.py b/scripts/generator.py
index b6dcf05db9..0db252648d 100644
--- a/scripts/generator.py
+++ b/scripts/generator.py
@@ -63,7 +63,8 @@ def main():
 
 def argument_parser():
     parser = argparse.ArgumentParser()
-    parser.add_argument('--ref', action='store', help='git reference to use when building schemas')
+    parser.add_argument('--ref', action='store', help='Loads fields definitions from `./schemas` subdirectory from specified git reference. \
+                                                       Note that "--include experimental/schemas" will also respect this git ref.')
     parser.add_argument('--include', nargs='+',
                         help='include user specified directory of custom field definitions')
     parser.add_argument('--subset', nargs='+',
diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py
index 2da446f3e3..801319854c 100644
--- a/scripts/generators/ecs_helpers.py
+++ b/scripts/generators/ecs_helpers.py
@@ -114,6 +114,14 @@ def get_tree_by_ref(ref):
     return commit.tree
 
 
+def path_exists_in_git_tree(tree, file_path):
+    try:
+        _ = tree[file_path]
+    except KeyError:
+        return False
+    return True
+
+
 def usage_doc_files():
     usage_docs_dir = os.path.join(os.path.dirname(__file__), '../../docs/usage')
     usage_docs_path = pathlib.Path(usage_docs_dir)
diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py
index 16895babbe..e953834d97 100644
--- a/scripts/schema/loader.py
+++ b/scripts/schema/loader.py
@@ -51,9 +51,18 @@ def load_schemas(ref=None, included_files=[]):
         schema_files_raw = load_schema_files(ecs_helpers.ecs_files())
     fields = deep_nesting_representation(schema_files_raw)
 
-    # Custom additional files (never from git ref)
+    EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas'
+
+    # Custom additional files
     if included_files and len(included_files) > 0:
         print('Loading user defined schemas: {0}'.format(included_files))
+        # If --ref provided and --include loading experimental schemas
+        if ref and EXPERIMENTAL_SCHEMA_DIR in included_files:
+            exp_schema_files_raw = load_schemas_from_git(ref, target_dir=EXPERIMENTAL_SCHEMA_DIR)
+            exp_fields = deep_nesting_representation(exp_schema_files_raw)
+            fields = merge_fields(fields, exp_fields)
+            included_files.remove(EXPERIMENTAL_SCHEMA_DIR)
+        # Remaining additional custom files (never from git ref)
         custom_files = ecs_helpers.get_glob_files(included_files, ecs_helpers.YAML_EXT)
         custom_fields = deep_nesting_representation(load_schema_files(custom_files))
         fields = merge_fields(fields, custom_fields)
@@ -68,13 +77,18 @@ def load_schema_files(files):
     return fields_nested
 
 
-def load_schemas_from_git(ref):
+def load_schemas_from_git(ref, target_dir='schemas'):
     tree = ecs_helpers.get_tree_by_ref(ref)
     fields_nested = {}
-    for blob in tree['schemas'].blobs:
-        if blob.name.endswith('.yml'):
-            new_fields = read_schema_blob(blob, ref)
-            fields_nested = ecs_helpers.safe_merge_dicts(fields_nested, new_fields)
+
+    # Handles case if target dir doesn't exists in git ref
+    if ecs_helpers.path_exists_in_git_tree(tree, target_dir):
+        for blob in tree[target_dir].blobs:
+            if blob.name.endswith('.yml'):
+                new_fields = read_schema_blob(blob, ref)
+                fields_nested = ecs_helpers.safe_merge_dicts(fields_nested, new_fields)
+    else:
+        raise KeyError(f"Target directory './{target_dir}' not present in git ref '{ref}'!")
     return fields_nested
 
 
diff --git a/scripts/tests/test_ecs_helpers.py b/scripts/tests/test_ecs_helpers.py
index 2eb5ff0254..79b554ad95 100644
--- a/scripts/tests/test_ecs_helpers.py
+++ b/scripts/tests/test_ecs_helpers.py
@@ -99,11 +99,19 @@ def test_list_subtract(self):
         self.assertEqual(ecs_helpers.list_subtract(['a', 'b'], ['a']), ['b'])
         self.assertEqual(ecs_helpers.list_subtract(['a', 'b'], ['a', 'c']), ['b'])
 
+    # git helper tests
+
     def test_get_tree_by_ref(self):
         ref = 'v1.5.0'
         tree = ecs_helpers.get_tree_by_ref(ref)
         self.assertEqual(tree.hexsha, '4449df245f6930d59bcd537a5958891261a9476b')
 
+    def test_path_exists_in_git_tree(self):
+        ref = 'v1.6.0'
+        tree = ecs_helpers.get_tree_by_ref(ref)
+        self.assertFalse(ecs_helpers.path_exists_in_git_tree(tree, 'nonexistant'))
+        self.assertTrue(ecs_helpers.path_exists_in_git_tree(tree, 'schemas'))
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/scripts/tests/unit/test_schema_loader.py b/scripts/tests/unit/test_schema_loader.py
index edd585c011..de3a718bd5 100644
--- a/scripts/tests/unit/test_schema_loader.py
+++ b/scripts/tests/unit/test_schema_loader.py
@@ -79,6 +79,21 @@ def test_load_schemas_no_custom(self):
             fields['process']['fields']['thread'].keys(),
             "Fields containing nested fields should at least have the 'fields' subkey")
 
+    def test_load_schemas_git_ref(self):
+        fields = loader.load_schemas(ref='v1.6.0')
+        self.assertEqual(
+            ['field_details', 'fields', 'schema_details'],
+            sorted(fields['process'].keys()),
+            "Schemas should have 'field_details', 'fields' and 'schema_details' subkeys")
+        self.assertEqual(
+            ['field_details'],
+            list(fields['process']['fields']['pid'].keys()),
+            "Leaf fields should have only the 'field_details' subkey")
+        self.assertIn(
+            'fields',
+            fields['process']['fields']['thread'].keys(),
+            "Fields containing nested fields should at least have the 'fields' subkey")
+
     @mock.patch('schema.loader.read_schema_file')
     def test_load_schemas_fail_on_accidental_fieldset_redefinition(self, mock_read_schema):
         mock_read_schema.side_effect = [
@@ -124,6 +139,43 @@ def test_nest_schema_raises_on_missing_schema_name(self):
         with self.assertRaisesRegex(ValueError, 'incomplete.yml'):
             loader.nest_schema([{'description': 'just a description'}], 'incomplete.yml')
 
+    def test_load_schemas_from_git(self):
+        fields = loader.load_schemas_from_git('v1.0.0', target_dir='schemas')
+        self.assertEqual(
+            ['agent',
+             'base',
+             'client',
+             'cloud',
+             'container',
+             'destination',
+             'ecs',
+             'error',
+             'event',
+             'file',
+             'geo',
+             'group',
+             'host',
+             'http',
+             'log',
+             'network',
+             'observer',
+             'organization',
+             'os',
+             'process',
+             'related',
+             'server',
+             'service',
+             'source',
+             'url',
+             'user',
+             'user_agent'],
+            sorted(fields.keys()),
+            "Raw schema fields should have expected fieldsets for v1.0.0")
+
+    def test_load_schemas_from_git_missing_target_directory(self):
+        with self.assertRaisesRegex(KeyError, "not present in git ref 'v1.5.0'"):
+            loader.load_schemas_from_git('v1.5.0', target_dir='experimental')
+
     # nesting stuff
 
     def test_nest_fields(self):

From ec51a8d7c8805756f6c2eca8ffdc235156333504 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 10 Nov 2020 12:28:54 -0600
Subject: [PATCH 38/90] [1.x] Remove experimental event.original definition
 (#1053) (#1104)

---
 CHANGELOG.md                                         | 1 +
 experimental/generated/beats/fields.ecs.yml          | 3 ++-
 experimental/generated/csv/fields.csv                | 2 +-
 experimental/generated/ecs/ecs_flat.yml              | 3 ++-
 experimental/generated/ecs/ecs_nested.yml            | 3 ++-
 experimental/generated/elasticsearch/7/template.json | 3 ++-
 experimental/schemas/event.yml                       | 5 -----
 7 files changed, 10 insertions(+), 10 deletions(-)
 delete mode 100644 experimental/schemas/event.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23f6728c36..57c3f891d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ All notable changes to this project will be documented in this file based on the
 #### Bugfixes
 
 * Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960
+* Experimental artifacts failed to install due to `event.original` index setting. #1053
 
 #### Added
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index da99874ab5..cb8b834dd1 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1317,7 +1317,8 @@
       example: apache
     - name: original
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
         This field is not indexed and doc_values are disabled. It cannot be searched,
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 15b7de8404..95d72bce73 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
 1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
 1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.8.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
 1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
 1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
 1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index b07d2ba201..85fbad3e10 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -2038,12 +2038,13 @@ event.original:
   example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
     worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
   flat_name: event.original
+  ignore_above: 1024
   index: false
   level: core
   name: original
   normalize: []
   short: Raw text message of entire event.
-  type: wildcard
+  type: keyword
 event.outcome:
   allowed_values:
   - description: Indicates that this event describes a failed result. A common example
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index ebd19083ed..1c6533c1a9 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2436,12 +2436,13 @@ event:
       example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
         worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
       flat_name: event.original
+      ignore_above: 1024
       index: false
       level: core
       name: original
       normalize: []
       short: Raw text message of entire event.
-      type: wildcard
+      type: keyword
     event.outcome:
       allowed_values:
       - description: Indicates that this event describes a failed result. A common
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index a75360b36d..46d059dfd8 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -706,8 +706,9 @@
           },
           "original": {
             "doc_values": false,
+            "ignore_above": 1024,
             "index": false,
-            "type": "wildcard"
+            "type": "keyword"
           },
           "outcome": {
             "ignore_above": 1024,
diff --git a/experimental/schemas/event.yml b/experimental/schemas/event.yml
deleted file mode 100644
index 07daa3ac87..0000000000
--- a/experimental/schemas/event.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: event
-  fields:
-    - name: original
-      type: wildcard

From b91b60b1e72ce7cc1097fb5d9ad96ff2d03451c6 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 10 Nov 2020 13:40:19 -0600
Subject: [PATCH 39/90] [1.x] Add missing `process.thread.name` to experimental
 definitions (#1103) (#1106)

---
 CHANGELOG.md                                         | 4 ++--
 experimental/generated/beats/fields.ecs.yml          | 6 ++----
 experimental/generated/csv/fields.csv                | 4 ++--
 experimental/generated/ecs/ecs_flat.yml              | 6 ++----
 experimental/generated/ecs/ecs_nested.yml            | 6 ++----
 experimental/generated/elasticsearch/7/template.json | 6 ++----
 experimental/schemas/process.yml                     | 2 ++
 7 files changed, 14 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 57c3f891d8..956b2a75b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,8 @@ All notable changes to this project will be documented in this file based on the
 * Added network directions ingress and egress. #945
 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
 * Added `configuration` as an allowed `event.category`. #963
+* Added a new directory with experimental artifacts, which includes all changes
+  from RFCs that have reached stage 2. #993, #1053
 
 #### Improvements
 
@@ -45,8 +47,6 @@ All notable changes to this project will be documented in this file based on the
 * Added `ignore_above` and `normalizer` support for keyword multi-fields. #971
 * Added ability to supply free-form usage documentation per fieldset. #988
 * Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991
-* Added a new directory with experimental artifacts, which includes all changes
-  from RFCs that have reached stage 2. #993
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index cb8b834dd1..26ec99ba27 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -3566,8 +3566,7 @@
       default_field: false
     - name: parent.thread.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Thread name.
       example: thread-0
       default_field: false
@@ -3681,8 +3680,7 @@
       example: 4242
     - name: thread.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Thread name.
       example: thread-0
     - name: title
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 95d72bce73..11c3aa4455 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -413,7 +413,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
 1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
 1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
 1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
 1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
@@ -431,7 +431,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
 1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
 1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title.
 1.8.0-dev,true,process,process.title.text,text,extended,,,Process title.
 1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 85fbad3e10..7a92b47716 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -5385,13 +5385,12 @@ process.parent.thread.name:
   description: Thread name.
   example: thread-0
   flat_name: process.parent.thread.name
-  ignore_above: 1024
   level: extended
   name: thread.name
   normalize: []
   original_fieldset: process
   short: Thread name.
-  type: keyword
+  type: wildcard
 process.parent.title:
   dashed_name: process-parent-title
   description: 'Process title.
@@ -5582,12 +5581,11 @@ process.thread.name:
   description: Thread name.
   example: thread-0
   flat_name: process.thread.name
-  ignore_above: 1024
   level: extended
   name: thread.name
   normalize: []
   short: Thread name.
-  type: keyword
+  type: wildcard
 process.title:
   dashed_name: process-title
   description: 'Process title.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 1c6533c1a9..da428dae70 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -6427,13 +6427,12 @@ process:
       description: Thread name.
       example: thread-0
       flat_name: process.parent.thread.name
-      ignore_above: 1024
       level: extended
       name: thread.name
       normalize: []
       original_fieldset: process
       short: Thread name.
-      type: keyword
+      type: wildcard
     process.parent.title:
       dashed_name: process-parent-title
       description: 'Process title.
@@ -6624,12 +6623,11 @@ process:
       description: Thread name.
       example: thread-0
       flat_name: process.thread.name
-      ignore_above: 1024
       level: extended
       name: thread.name
       normalize: []
       short: Thread name.
-      type: keyword
+      type: wildcard
     process.title:
       dashed_name: process-title
       description: 'Process title.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 46d059dfd8..42f2f98039 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1904,8 +1904,7 @@
                     "type": "long"
                   },
                   "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               },
@@ -1981,8 +1980,7 @@
                 "type": "long"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               }
             }
           },
diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml
index da492e4564..e759e97e86 100644
--- a/experimental/schemas/process.yml
+++ b/experimental/schemas/process.yml
@@ -7,6 +7,8 @@
       type: wildcard
     - name: name
       type: wildcard
+    - name: thread.name
+      type: wildcard
     - name: title
       type: wildcard
     - name: working_directory

From 08b63c3143e6d40f56218cc8303c7df9e3855349 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 12 Nov 2020 14:50:28 -0600
Subject: [PATCH 40/90] [1.x] Remove index parameter for wildcard fields
 (#1115) (#1119)

---
 CHANGELOG.md                                | 2 +-
 experimental/generated/beats/fields.ecs.yml | 1 -
 experimental/generated/ecs/ecs_flat.yml     | 1 -
 experimental/generated/ecs/ecs_nested.yml   | 1 -
 schemas/README.md                           | 5 +++--
 scripts/schema/cleaner.py                   | 3 +++
 scripts/tests/unit/test_schema_cleaner.py   | 4 ++++
 7 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 956b2a75b5..8e77fe6b0b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the
 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
 * Added `configuration` as an allowed `event.category`. #963
 * Added a new directory with experimental artifacts, which includes all changes
-  from RFCs that have reached stage 2. #993, #1053
+  from RFCs that have reached stage 2. #993, #1053, #1115
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 26ec99ba27..e94a371c98 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1160,7 +1160,6 @@
         norms: false
         default_field: false
       description: The stack trace of this error in plain text.
-      index: true
     - name: type
       level: extended
       type: wildcard
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 7a92b47716..3c14cf04a3 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1599,7 +1599,6 @@ error.stack_trace:
   dashed_name: error-stack-trace
   description: The stack trace of this error in plain text.
   flat_name: error.stack_trace
-  index: true
   level: extended
   multi_fields:
   - flat_name: error.stack_trace.text
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index da428dae70..f7a2bc93ae 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1971,7 +1971,6 @@ error:
       dashed_name: error-stack-trace
       description: The stack trace of this error in plain text.
       flat_name: error.stack_trace
-      index: true
       level: extended
       multi_fields:
       - flat_name: error.stack_trace.text
diff --git a/schemas/README.md b/schemas/README.md
index 88440c0354..39b18f4bd7 100644
--- a/schemas/README.md
+++ b/schemas/README.md
@@ -129,7 +129,8 @@ Supported keys to describe fields
   Example values that are composite types (array, object) should be quoted to avoid YAML interpretation
   in ECS-generated artifacts and other downstream projects depending on the schema.
 - multi\_fields (optional): Specify additional ways to index the field.
-- index (optional): If `False`, means field is not indexed (overrides type)
+- index (optional): If `False`, means field is not indexed (overrides type). This parameter has no effect
+  on a `wildcard` field.
 - format: Field format that can be used in a Kibana index template.
 - normalize: Normalization steps that should be applied at ingestion time. Supported values:
   - array: the content of the field should be an array (even when there's only one value).
@@ -151,7 +152,7 @@ Supported keys to describe expected values for a field
   Optionally, entries in this list can specify 'expected\_event\_types'.
 - expected\_event\_types: list of expected "event.type" values to use in association
   with that category.
-  
+
 Supported keys when using the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html)
 
 ```YAML
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index ab3acfcaeb..185d0abedc 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -144,6 +144,9 @@ def field_or_multi_field_datatype_defaults(field_details):
         field_details.setdefault('ignore_above', 1024)
     if field_details['type'] == 'text':
         field_details.setdefault('norms', False)
+    # wildcard needs the index param stripped
+    if field_details['type'] == 'wildcard':
+        field_details.pop('index', None)
     if 'index' in field_details and not field_details['index']:
         field_details.setdefault('doc_values', False)
 
diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py
index 13f78c4e91..bc3dbdc621 100644
--- a/scripts/tests/unit/test_schema_cleaner.py
+++ b/scripts/tests/unit/test_schema_cleaner.py
@@ -223,6 +223,10 @@ def test_field_defaults(self):
         cleaner.field_defaults({'field_details': field_details})
         self.assertEqual(field_details['doc_values'], False)
 
+        field_details = {**field_min_details, **{'type': 'wildcard', 'index': True}}
+        cleaner.field_defaults({'field_details': field_details})
+        self.assertNotIn('index', field_details)
+
     def test_field_defaults_dont_override(self):
         field_details = {
             'description': 'description',

From 16df1c6ac7a2c132c75c118d2214fc147d1cf0f7 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 12 Nov 2020 15:30:22 -0600
Subject: [PATCH 41/90] [1.x] Add dns.answer object into experimental schema
 (#1118) (#1121)

---
 CHANGELOG.md                                  |  2 +-
 experimental/generated/beats/fields.ecs.yml   | 13 +++++++++++++
 experimental/generated/csv/fields.csv         |  1 +
 experimental/generated/ecs/ecs_flat.yml       | 19 +++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 19 +++++++++++++++++++
 .../generated/elasticsearch/7/template.json   |  3 ++-
 experimental/schemas/dns.yml                  |  2 ++
 7 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8e77fe6b0b..fe5c780742 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the
 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
 * Added `configuration` as an allowed `event.category`. #963
 * Added a new directory with experimental artifacts, which includes all changes
-  from RFCs that have reached stage 2. #993, #1053, #1115
+  from RFCs that have reached stage 2. #993, #1053, #1115, #1118
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index e94a371c98..121c8524c9 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -967,6 +967,19 @@
       (`dns.type:answer`).'
     type: group
     fields:
+    - name: answers
+      level: extended
+      type: object
+      description: 'An array containing an object for each answer section returned
+        by the server.
+
+        The main keys that should be present in these objects are defined by ECS.
+        Records that have more information may contain more keys than what ECS defines.
+
+        Not all DNS data sources give all details about DNS answers. At minimum, answer
+        objects must contain the `data` key. If more information is available, map
+        as much of it to ECS as possible, and add any additional fields to the answer
+        objects as custom fields.'
     - name: answers.class
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 11c3aa4455..64d8bf60c3 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -113,6 +113,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
 1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
 1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 3c14cf04a3..e67d668343 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1318,6 +1318,25 @@ dll.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+dns.answers:
+  dashed_name: dns-answers
+  description: 'An array containing an object for each answer section returned by
+    the server.
+
+    The main keys that should be present in these objects are defined by ECS. Records
+    that have more information may contain more keys than what ECS defines.
+
+    Not all DNS data sources give all details about DNS answers. At minimum, answer
+    objects must contain the `data` key. If more information is available, map as
+    much of it to ECS as possible, and add any additional fields to the answer objects
+    as custom fields.'
+  flat_name: dns.answers
+  level: extended
+  name: answers
+  normalize:
+  - array
+  short: Array of DNS answers.
+  type: object
 dns.answers.class:
   dashed_name: dns-answers-class
   description: The class of DNS data contained in this resource record.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f7a2bc93ae..7b14063c20 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1667,6 +1667,25 @@ dns:
     (`dns.type:query`) or they should represent a full exchange and contain the query
     details as well as all of the answers that were provided for this query (`dns.type:answer`).'
   fields:
+    dns.answers:
+      dashed_name: dns-answers
+      description: 'An array containing an object for each answer section returned
+        by the server.
+
+        The main keys that should be present in these objects are defined by ECS.
+        Records that have more information may contain more keys than what ECS defines.
+
+        Not all DNS data sources give all details about DNS answers. At minimum, answer
+        objects must contain the `data` key. If more information is available, map
+        as much of it to ECS as possible, and add any additional fields to the answer
+        objects as custom fields.'
+      flat_name: dns.answers
+      level: extended
+      name: answers
+      normalize:
+      - array
+      short: Array of DNS answers.
+      type: object
     dns.answers.class:
       dashed_name: dns-answers-class
       description: The class of DNS data contained in this resource record.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 42f2f98039..ce1fd20d23 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -568,7 +568,8 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               }
-            }
+            },
+            "type": "object"
           },
           "header_flags": {
             "ignore_above": 1024,
diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml
index 54f9ccd69a..466859c09f 100644
--- a/experimental/schemas/dns.yml
+++ b/experimental/schemas/dns.yml
@@ -3,5 +3,7 @@
   fields:
     - name: question.name
       type: wildcard
+    - name: answers
+      type: object
     - name: answers.data
       type: wildcard

From 1a83782481d45a8d1ceb8ae293db808addc54af8 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 12 Nov 2020 16:42:51 -0500
Subject: [PATCH 42/90] [1.x] Clarify x509 definition guidance for network
 events with only one cert (#1114) (#1123)

---
 CHANGELOG.md                                |  2 ++
 code/go/ecs/x509.go                         | 13 +++++++------
 docs/field-details.asciidoc                 |  6 +++++-
 experimental/generated/beats/fields.ecs.yml | 17 ++++++++++-------
 experimental/generated/ecs/ecs_nested.yml   | 16 +++++++++-------
 generated/beats/fields.ecs.yml              | 17 ++++++++++-------
 generated/ecs/ecs_nested.yml                | 16 +++++++++-------
 schemas/x509.yml                            | 10 ++++++----
 8 files changed, 58 insertions(+), 39 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fe5c780742..8ab66b71dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,8 @@ All notable changes to this project will be documented in this file based on the
 * Provided better guidance for mapping network events. #969
 * Added the field `.subdomain` under `client`, `destination`, `server`, `source`
   and `url`, to match its presence at `dns.question.subdomain`. #981
+* Clarified ambiguity in guidance on how to use x509 fields for connections with
+  only one certificate. #1114
 
 ### Tooling and Artifact Changes
 
diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go
index 99d916a641..d3509dda98 100644
--- a/code/go/ecs/x509.go
+++ b/code/go/ecs/x509.go
@@ -26,12 +26,13 @@ import (
 // This implements the common core fields for x509 certificates. This
 // information is likely logged with TLS sessions, digital signatures found in
 // executable binaries, S/MIME information in email bodies, or analysis of
-// files on disk. When only a single certificate is logged in an event, it
-// should be nested under `file`. When hashes of the DER-encoded certificate
-// are available, the `hash` data set should be populated as well (e.g.
-// `file.hash.sha256`). For events that contain certificate information for
-// both sides of the connection, the x509 object could be nested under the
-// respective side of the connection information (e.g. `tls.server.x509`).
+// files on disk.
+// When the certificate relates to a file, use the fields at `file.x509`. When
+// hashes of the DER-encoded certificate are available, the `hash` data set
+// should be populated as well (e.g. `file.hash.sha256`).
+// Events that contain certificate information about network connections,
+// should use the x509 fields under the relevant TLS fields: `tls.server.x509`
+// and/or `tls.client.x509`.
 type X509 struct {
 	// Version of x509 format.
 	VersionNumber string `ecs:"version_number"`
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index ddcb587a24..25f01313b3 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -6957,7 +6957,11 @@ example: `Critical`
 [[ecs-x509]]
 === x509 Certificate Fields
 
-This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`).
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
+
+When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).
+
+Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
 
 [discrete]
 ==== x509 Certificate Field Details
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 121c8524c9..b04eb8a437 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5895,15 +5895,18 @@
   - name: x509
     title: x509 Certificate
     group: 2
-    description: This implements the common core fields for x509 certificates. This
+    description: 'This implements the common core fields for x509 certificates. This
       information is likely logged with TLS sessions, digital signatures found in
       executable binaries, S/MIME information in email bodies, or analysis of files
-      on disk. When only a single certificate is logged in an event, it should be
-      nested under `file`. When hashes of the DER-encoded certificate are available,
-      the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For
-      events that contain certificate information for both sides of the connection,
-      the x509 object could be nested under the respective side of the connection
-      information (e.g. `tls.server.x509`).
+      on disk.
+
+      When the certificate relates to a file, use the fields at `file.x509`. When
+      hashes of the DER-encoded certificate are available, the `hash` data set should
+      be populated as well (e.g. `file.hash.sha256`).
+
+      Events that contain certificate information about network connections, should
+      use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
+      `tls.client.x509`.'
     type: group
     fields:
     - name: alternative_names
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 7b14063c20..57b2385bee 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10393,14 +10393,16 @@ vulnerability:
   title: Vulnerability
   type: group
 x509:
-  description: This implements the common core fields for x509 certificates. This
+  description: 'This implements the common core fields for x509 certificates. This
     information is likely logged with TLS sessions, digital signatures found in executable
-    binaries, S/MIME information in email bodies, or analysis of files on disk. When
-    only a single certificate is logged in an event, it should be nested under `file`.
-    When hashes of the DER-encoded certificate are available, the `hash` data set
-    should be populated as well (e.g. `file.hash.sha256`). For events that contain
-    certificate information for both sides of the connection, the x509 object could
-    be nested under the respective side of the connection information (e.g. `tls.server.x509`).
+    binaries, S/MIME information in email bodies, or analysis of files on disk.
+
+    When the certificate relates to a file, use the fields at `file.x509`. When hashes
+    of the DER-encoded certificate are available, the `hash` data set should be populated
+    as well (e.g. `file.hash.sha256`).
+
+    Events that contain certificate information about network connections, should
+    use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.'
   fields:
     x509.alternative_names:
       dashed_name: x509-alternative-names
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index e4b1f1bb45..f1e073d6b1 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5765,15 +5765,18 @@
   - name: x509
     title: x509 Certificate
     group: 2
-    description: This implements the common core fields for x509 certificates. This
+    description: 'This implements the common core fields for x509 certificates. This
       information is likely logged with TLS sessions, digital signatures found in
       executable binaries, S/MIME information in email bodies, or analysis of files
-      on disk. When only a single certificate is logged in an event, it should be
-      nested under `file`. When hashes of the DER-encoded certificate are available,
-      the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For
-      events that contain certificate information for both sides of the connection,
-      the x509 object could be nested under the respective side of the connection
-      information (e.g. `tls.server.x509`).
+      on disk.
+
+      When the certificate relates to a file, use the fields at `file.x509`. When
+      hashes of the DER-encoded certificate are available, the `hash` data set should
+      be populated as well (e.g. `file.hash.sha256`).
+
+      Events that contain certificate information about network connections, should
+      use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
+      `tls.client.x509`.'
     type: group
     fields:
     - name: alternative_names
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index ca9424eaed..f8b86c0ee0 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10084,14 +10084,16 @@ vulnerability:
   title: Vulnerability
   type: group
 x509:
-  description: This implements the common core fields for x509 certificates. This
+  description: 'This implements the common core fields for x509 certificates. This
     information is likely logged with TLS sessions, digital signatures found in executable
-    binaries, S/MIME information in email bodies, or analysis of files on disk. When
-    only a single certificate is logged in an event, it should be nested under `file`.
-    When hashes of the DER-encoded certificate are available, the `hash` data set
-    should be populated as well (e.g. `file.hash.sha256`). For events that contain
-    certificate information for both sides of the connection, the x509 object could
-    be nested under the respective side of the connection information (e.g. `tls.server.x509`).
+    binaries, S/MIME information in email bodies, or analysis of files on disk.
+
+    When the certificate relates to a file, use the fields at `file.x509`. When hashes
+    of the DER-encoded certificate are available, the `hash` data set should be populated
+    as well (e.g. `file.hash.sha256`).
+
+    Events that contain certificate information about network connections, should
+    use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.'
   fields:
     x509.alternative_names:
       dashed_name: x509-alternative-names
diff --git a/schemas/x509.yml b/schemas/x509.yml
index 06209dcbeb..124551c96c 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -6,10 +6,12 @@
   description: >
     This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions,
     digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
-    When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded
-    certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that
-    contain certificate information for both sides of the connection, the x509 object could be nested under the respective
-    side of the connection information (e.g. `tls.server.x509`).
+
+    When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded
+    certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).
+
+    Events that contain certificate information about network connections, should use the x509 fields
+    under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
   type: group
   reusable:
     top_level: false

From 28a3a69f4e67ca01812c02a4fbb3b0a9bb3209ff Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 12 Nov 2020 16:48:47 -0500
Subject: [PATCH 43/90] [1.x] Indicate when artifacts include experimental
 changes (#1117) (#1125)

---
 CHANGELOG.md                                  |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 1440 ++++++++---------
 .../generated/elasticsearch/7/template.json   |    2 +-
 scripts/generator.py                          |    4 +
 scripts/schema/loader.py                      |    5 +-
 6 files changed, 730 insertions(+), 725 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ab66b71dc..49e89c52b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the
 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951
 * Added `configuration` as an allowed `event.category`. #963
 * Added a new directory with experimental artifacts, which includes all changes
-  from RFCs that have reached stage 2. #993, #1053, #1115, #1118
+  from RFCs that have reached stage 2. #993, #1053, #1115, #1117, #1118
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index b04eb8a437..e524abdb11 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.8.0-dev.
+# based on ECS version 1.8.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 64d8bf60c3..c732a60600 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,721 +1,721 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
-1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
-1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.8.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.8.0-dev,true,container,container.labels,object,extended,,,Image labels.
-1.8.0-dev,true,container,container.name,keyword,extended,,,Container name.
-1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
-1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
-1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
-1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
-1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.8.0-dev,true,error,error.message,text,core,,,Error message.
-1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,file,file.created,date,extended,,,File creation time.
-1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
-1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
-1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
-1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
-1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
-1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
-1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
-1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
-1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name
-1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
-1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
-1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
-1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
-1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
-1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title.
-1.8.0-dev,true,process,process.title.text,text,extended,,,Process title.
-1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
-1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
-1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.8.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
-1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
-1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.8.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
-1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
-1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.8.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.8.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.8.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.8.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.8.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.8.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.8.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.8.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.8.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.8.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.8.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+1.8.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.8.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain.
+1.8.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+1.8.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.8.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.8.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+1.8.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.8.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+1.8.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.8.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.8.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.8.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.8.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.8.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.8.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.8.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.8.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.8.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.8.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.8.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+1.8.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.8.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.8.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+1.8.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+1.8.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.8.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.8.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.8.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.8.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.8.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.8.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.8.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.8.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.8.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+1.8.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.8.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.8.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.8.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.8.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.8.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.8.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.8.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.8.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.8.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.8.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.8.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.8.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.8.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.8.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.8.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.8.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.8.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.8.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.8.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.8.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.8.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+1.8.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.8.0-dev+exp,true,error,error.message,text,core,,,Error message.
+1.8.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.8.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.8.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.8.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.8.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.8.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.8.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.8.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.8.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.8.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.8.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.8.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.8.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.8.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.8.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.8.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.8.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.8.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.8.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.8.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.8.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.8.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.8.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.8.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.8.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.8.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.8.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.8.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.8.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.8.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.8.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+1.8.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.8.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.8.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.8.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.8.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.8.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.8.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.8.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.8.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.8.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.8.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.8.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.8.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.8.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+1.8.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.8.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.8.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.8.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.8.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.8.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+1.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.8.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.8.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.8.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.8.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.8.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.8.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.8.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.8.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.8.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.8.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.8.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.8.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.8.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.8.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.8.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.8.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.8.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.8.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.8.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.8.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.8.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.8.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+1.8.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.8.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.8.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.8.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.8.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.8.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.8.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.8.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.8.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.8.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.8.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.8.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.8.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.8.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.8.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.8.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.8.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.8.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.8.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.8.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.8.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.8.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.8.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.8.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.8.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.8.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.8.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.8.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.8.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.8.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.8.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.8.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.8.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.8.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.8.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.8.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.8.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+1.8.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.8.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.8.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name.
+1.8.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.8.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.8.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.8.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.8.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.8.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+1.8.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.8.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+1.8.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.8.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.8.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.8.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+1.8.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.8.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.8.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.8.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.8.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.8.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.8.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name.
+1.8.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.8.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.8.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.8.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.8.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.8.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.8.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.8.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.8.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.8.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.8.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.8.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.8.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.8.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.8.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.8.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.8.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+1.8.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.8.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.8.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.8.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
+1.8.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.8.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title.
+1.8.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.8.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.8.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.8.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.8.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.8.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.8.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.8.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.8.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+1.8.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.8.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.8.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.8.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
+1.8.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title.
+1.8.0-dev+exp,true,process,process.title.text,text,extended,,,Process title.
+1.8.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.8.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.8.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.8.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.8.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.8.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.8.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.8.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.8.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.8.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.8.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.8.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.8.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.8.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.8.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.8.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.8.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.8.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.8.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.8.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.8.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.8.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.8.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.8.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.8.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+1.8.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.8.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain.
+1.8.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+1.8.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.8.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.8.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+1.8.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.8.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+1.8.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.8.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.8.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.8.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.8.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.8.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+1.8.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.8.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.8.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+1.8.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.8.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.8.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.8.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain.
+1.8.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.8.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.8.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.8.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.8.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.8.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.8.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.8.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+1.8.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.8.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.8.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+1.8.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.8.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+1.8.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.8.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.8.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.8.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.8.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.8.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.8.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.8.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.8.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.8.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.8.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.8.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.8.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.8.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.8.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.8.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.8.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.8.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.8.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.8.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.8.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.8.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.8.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.8.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.8.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.8.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.8.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.8.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.8.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.8.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.8.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.8.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.8.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.8.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.8.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.8.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.8.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.8.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.8.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.8.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.8.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.8.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.8.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.8.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.8.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+1.8.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.8.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.8.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+1.8.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.8.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.8.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.8.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.8.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+1.8.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address.
+1.8.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.8.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.8.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.8.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.8.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.8.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.8.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.8.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.8.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.8.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.8.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.8.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index ce1fd20d23..e49b046ece 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.8.0-dev"
+      "version": "1.8.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/scripts/generator.py b/scripts/generator.py
index 0db252648d..40d63e94cb 100644
--- a/scripts/generator.py
+++ b/scripts/generator.py
@@ -41,6 +41,10 @@ def main():
     # statements like this after any step of interest.
     # ecs_helpers.yaml_dump('ecs.yml', fields)
 
+    # Detect usage of experimental changes to tweak artifact version label
+    if loader.EXPERIMENTAL_SCHEMA_DIR in args.include:
+        ecs_version += "+exp"
+
     fields = loader.load_schemas(ref=args.ref, included_files=args.include)
     if args.oss:
         oss.fallback(fields)
diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py
index e953834d97..07477551af 100644
--- a/scripts/schema/loader.py
+++ b/scripts/schema/loader.py
@@ -42,6 +42,9 @@
 #   Examples of this are 'dns.answers', 'observer.egress'.
 
 
+EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas'
+
+
 def load_schemas(ref=None, included_files=[]):
     """Loads ECS and custom schemas. They are returned deeply nested and merged."""
     # ECS fields (from git ref or not)
@@ -51,8 +54,6 @@ def load_schemas(ref=None, included_files=[]):
         schema_files_raw = load_schema_files(ecs_helpers.ecs_files())
     fields = deep_nesting_representation(schema_files_raw)
 
-    EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas'
-
     # Custom additional files
     if included_files and len(included_files) > 0:
         print('Loading user defined schemas: {0}'.format(included_files))

From 27fe7e0e7e1412a827bd914a1c537662eb123ad6 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 18 Nov 2020 10:56:58 -0500
Subject: [PATCH 44/90] [1.x] Add os.type field, with list of allowed values
 (#1111) (#1130)

---
 CHANGELOG.next.md                             |  1 +
 code/go/ecs/os.go                             |  9 +++
 docs/field-details.asciidoc                   | 17 ++++
 experimental/generated/beats/fields.ecs.yml   | 60 ++++++++++++++
 experimental/generated/csv/fields.csv         |  3 +
 experimental/generated/ecs/ecs_flat.yml       | 57 +++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 79 +++++++++++++++++++
 .../generated/elasticsearch/7/template.json   | 12 +++
 generated/beats/fields.ecs.yml                | 60 ++++++++++++++
 generated/csv/fields.csv                      |  3 +
 generated/ecs/ecs_flat.yml                    | 57 +++++++++++++
 generated/ecs/ecs_nested.yml                  | 79 +++++++++++++++++++
 generated/elasticsearch/6/template.json       | 12 +++
 generated/elasticsearch/7/template.json       | 12 +++
 schemas/os.yml                                | 14 ++++
 15 files changed, 475 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index bfd5ff6cc4..8b182475d3 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 
 * Added `event.category` "registry". #1040
 * Added `event.category` "session". #1049
+* Added `os.type`. #1111
 
 #### Improvements
 
diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go
index a118950bbf..3284a5357c 100644
--- a/code/go/ecs/os.go
+++ b/code/go/ecs/os.go
@@ -21,6 +21,15 @@ package ecs
 
 // The OS fields contain information about the operating system.
 type Os struct {
+	// Use the `os.type` field to categorize the operating system into one of
+	// the broad commercial families.
+	// One of these following values should be used (lowercase): linux, macos,
+	// unix, windows.
+	// If the OS you're dealing with is not in the list, the field should not
+	// be populated. Please let us know by opening an issue with ECS, to
+	// propose its addition.
+	Type string `ecs:"type"`
+
 	// Operating system platform (such centos, ubuntu, windows).
 	Platform string `ecs:"platform"`
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 25f01313b3..ae14752657 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -3930,6 +3930,23 @@ example: `darwin`
 
 // ===============================================================
 
+| os.type
+| Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+
+One of these following values should be used (lowercase): linux, macos, unix, windows.
+
+If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+
+
+example: `macos`
+
+| extended
+
+// ===============================================================
+
 | os.version
 | Operating system version as a raw string.
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index e524abdb11..e148421e5a 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2181,6 +2181,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: os.version
       level: extended
       type: keyword
@@ -2929,6 +2944,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: os.version
       level: extended
       type: keyword
@@ -3034,6 +3064,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: version
       level: extended
       type: keyword
@@ -5716,6 +5761,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: os.version
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index c732a60600..9e24de5181 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 1.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 1.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
 1.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
@@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 1.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 1.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
 1.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
@@ -703,6 +705,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 1.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 1.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
 1.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index e67d668343..5aefba80d3 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3423,6 +3423,25 @@ host.os.platform:
   original_fieldset: os
   short: Operating system platform (such centos, ubuntu, windows).
   type: keyword
+host.os.type:
+  dashed_name: host-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: host.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 host.os.version:
   dashed_name: host-os-version
   description: Operating system version as a raw string.
@@ -4559,6 +4578,25 @@ observer.os.platform:
   original_fieldset: os
   short: Operating system platform (such centos, ubuntu, windows).
   type: keyword
+observer.os.type:
+  dashed_name: observer-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: observer.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 observer.os.version:
   dashed_name: observer-os-version
   description: Operating system version as a raw string.
@@ -8796,6 +8834,25 @@ user_agent.os.platform:
   original_fieldset: os
   short: Operating system platform (such centos, ubuntu, windows).
   type: keyword
+user_agent.os.type:
+  dashed_name: user-agent-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: user_agent.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 user_agent.os.version:
   dashed_name: user-agent-os-version
   description: Operating system version as a raw string.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 57b2385bee..977a5c2232 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4086,6 +4086,26 @@ host:
       original_fieldset: os
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    host.os.type:
+      dashed_name: host-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: host.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     host.os.version:
       dashed_name: host-os-version
       description: Operating system version as a raw string.
@@ -5339,6 +5359,26 @@ observer:
       original_fieldset: os
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    observer.os.type:
+      dashed_name: observer-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: observer.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     observer.os.version:
       dashed_name: observer-os-version
       description: Operating system version as a raw string.
@@ -5542,6 +5582,25 @@ os:
       normalize: []
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    os.type:
+      dashed_name: os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     os.version:
       dashed_name: os-version
       description: Operating system version as a raw string.
@@ -10110,6 +10169,26 @@ user_agent:
       original_fieldset: os
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    user_agent.os.type:
+      dashed_name: user-agent-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: user_agent.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     user_agent.os.version:
       dashed_name: user-agent-os-version
       description: Operating system version as a raw string.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index e49b046ece..1ae21ee498 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1134,6 +1134,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1589,6 +1593,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3237,6 +3245,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index f1e073d6b1..70ccffc264 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2214,6 +2214,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: os.version
       level: extended
       type: keyword
@@ -2973,6 +2988,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: os.version
       level: extended
       type: keyword
@@ -3081,6 +3111,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: version
       level: extended
       type: keyword
@@ -5586,6 +5631,21 @@
       ignore_above: 1024
       description: Operating system platform (such centos, ubuntu, windows).
       example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
     - name: os.version
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 04f8d184ed..96637a3f4c 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 1.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
 1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
@@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
 1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
@@ -667,6 +669,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
 1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
 1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 9447fa982b..78ef1eaec8 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3455,6 +3455,25 @@ host.os.platform:
   original_fieldset: os
   short: Operating system platform (such centos, ubuntu, windows).
   type: keyword
+host.os.type:
+  dashed_name: host-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: host.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 host.os.version:
   dashed_name: host-os-version
   description: Operating system version as a raw string.
@@ -4602,6 +4621,25 @@ observer.os.platform:
   original_fieldset: os
   short: Operating system platform (such centos, ubuntu, windows).
   type: keyword
+observer.os.type:
+  dashed_name: observer-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: observer.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 observer.os.version:
   dashed_name: observer-os-version
   description: Operating system version as a raw string.
@@ -8503,6 +8541,25 @@ user_agent.os.platform:
   original_fieldset: os
   short: Operating system platform (such centos, ubuntu, windows).
   type: keyword
+user_agent.os.type:
+  dashed_name: user-agent-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: user_agent.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 user_agent.os.version:
   dashed_name: user-agent-os-version
   description: Operating system version as a raw string.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index f8b86c0ee0..1352e844e5 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4120,6 +4120,26 @@ host:
       original_fieldset: os
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    host.os.type:
+      dashed_name: host-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: host.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     host.os.version:
       dashed_name: host-os-version
       description: Operating system version as a raw string.
@@ -5384,6 +5404,26 @@ observer:
       original_fieldset: os
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    observer.os.type:
+      dashed_name: observer-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: observer.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     observer.os.version:
       dashed_name: observer-os-version
       description: Operating system version as a raw string.
@@ -5590,6 +5630,25 @@ os:
       normalize: []
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    os.type:
+      dashed_name: os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     os.version:
       dashed_name: os-version
       description: Operating system version as a raw string.
@@ -9801,6 +9860,26 @@ user_agent:
       original_fieldset: os
       short: Operating system platform (such centos, ubuntu, windows).
       type: keyword
+    user_agent.os.type:
+      dashed_name: user-agent-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: user_agent.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     user_agent.os.version:
       dashed_name: user-agent-os-version
       description: Operating system version as a raw string.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 1392c740e3..e36eb3038f 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1167,6 +1167,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "version": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1633,6 +1637,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "version": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -3161,6 +3169,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "version": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index fe43b9ed19..2abf80257d 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1166,6 +1166,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1632,6 +1636,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3160,6 +3168,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "version": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/schemas/os.yml b/schemas/os.yml
index 71bf1dd36e..8b8cfcdad7 100644
--- a/schemas/os.yml
+++ b/schemas/os.yml
@@ -13,6 +13,20 @@
   type: group
   fields:
 
+    - name: type
+      level: extended
+      type: keyword
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      description: >
+        Use the `os.type` field to categorize the operating system into one of
+        the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix, windows.
+
+        If the OS you're dealing with is not in the list, the field should not be populated.
+        Please let us know by opening an issue with ECS, to propose its addition.
+      example: macos
+
     - name: platform
       level: extended
       type: keyword

From dce6348cf4dfb5d13e5e96c2113a9d16a4ec8cf0 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 18 Nov 2020 14:36:27 -0500
Subject: [PATCH 45/90] [1.x] Add support for constant_keyword's 'value'
 parameter (#1112) (#1132)

---
 CHANGELOG.next.md                 |  1 +
 scripts/generators/es_template.py |  2 ++
 scripts/tests/test_es_template.py | 22 ++++++++++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 8b182475d3..0dcfdfaa7c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -36,6 +36,7 @@ Thanks, you're awesome :-) -->
 * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
 * Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046
 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
+* Added support for `constant_keyword`'s optional parameter `value`. #1112
 
 #### Improvements
 
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 13498cef9d..086d5246b9 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -57,6 +57,8 @@ def entry_for(field):
 
         if field['type'] == 'keyword':
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['ignore_above'])
+        elif field['type'] == 'constant_keyword':
+            ecs_helpers.dict_copy_existing_keys(field, field_entry, ['value'])
         elif field['type'] == 'text':
             ecs_helpers.dict_copy_existing_keys(field, field_entry, ['norms'])
         elif field['type'] == 'alias':
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index a1491d2241..43ee4d276f 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -135,6 +135,28 @@ def test_entry_for_scaled_float(self):
         }
         self.assertEqual(es_template.entry_for(test_map), exp)
 
+    def test_constant_keyword_with_value(self):
+        test_map = {
+            'name': 'field_with_value',
+            'type': 'constant_keyword',
+            'value': 'foo'
+        }
+
+        exp = {
+            'type': 'constant_keyword',
+            'value': 'foo'
+        }
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
+    def test_constant_keyword_no_value(self):
+        test_map = {
+            'name': 'field_without_value',
+            'type': 'constant_keyword'
+        }
+
+        exp = {'type': 'constant_keyword'}
+        self.assertEqual(es_template.entry_for(test_map), exp)
+
 
 if __name__ == '__main__':
     unittest.main()

From 35a9ccab4ea6677a6d588f41bf00ed10b3b28ca7 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 18 Nov 2020 13:58:37 -0600
Subject: [PATCH 46/90] [1.x] Beta label support (#1051) (#1133)

Co-authored-by: Mathieu Martin <webmat@gmail.com>
---
 CHANGELOG.next.md                           |  1 +
 schemas/README.md                           | 15 ++++++++++++++
 scripts/generators/asciidoc_fields.py       |  3 ++-
 scripts/generators/ecs_helpers.py           |  4 ++--
 scripts/schema/cleaner.py                   | 14 +++++++++++++
 scripts/schema/finalizer.py                 |  3 +++
 scripts/templates/field_details.j2          | 22 +++++++++++++++++++++
 scripts/tests/unit/test_schema_finalizer.py |  4 ++--
 8 files changed, 61 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 0dcfdfaa7c..f87d61f45f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -36,6 +36,7 @@ Thanks, you're awesome :-) -->
 * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
 * Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046
 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
+* Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
 * Added support for `constant_keyword`'s optional parameter `value`. #1112
 
 #### Improvements
diff --git a/schemas/README.md b/schemas/README.md
index 39b18f4bd7..2c14737c4a 100644
--- a/schemas/README.md
+++ b/schemas/README.md
@@ -32,6 +32,8 @@ Optional field set attributes:
 - type (ignored): at this level, should always be `group`
 - reusable (optional): Used to identify which field sets are expected to be reused in multiple places.
   See "Field set reuse" for details.
+- beta: Adds a beta marker for the entire fieldset. The text provided in this attribute is used as content of the beta marker in the documentation.
+  Beta notices should not have newlines.
 
 ### Field set reuse
 
@@ -104,6 +106,18 @@ The above defines all process fields in both places:
 }
 ```
 
+The `beta` marker can optionally be used along with `at` and `as` to include a beta marker in the field reuses section, marking specific reuse locations as beta.
+Beta notices should not have newlines.
+
+```
+  reusable:
+    top_level: true
+    expected:
+    - at: user
+      as: target
+      beta: Reusing these fields in this location is currently considered beta.
+```
+
 ### List of fields
 
 Array of YAML objects:
@@ -134,6 +148,7 @@ Supported keys to describe fields
 - format: Field format that can be used in a Kibana index template.
 - normalize: Normalization steps that should be applied at ingestion time. Supported values:
   - array: the content of the field should be an array (even when there's only one value).
+- beta (optional): Adds a beta marker for the field to the description. The text provided in this attribute is used as content of the beta marker in the documentation. Note that when a whole field set is marked as beta, it is not necessary nor recommended to mark all fields in the field set as beta. Beta notices should not have newlines.
 
 Supported keys to describe expected values for a field
 
diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py
index e5e2262bd0..04fd1fcacf 100644
--- a/scripts/generators/asciidoc_fields.py
+++ b/scripts/generators/asciidoc_fields.py
@@ -39,7 +39,8 @@ def render_nestings_reuse_section(fieldset):
         rows.append({
             'flat_nesting': "{}.*".format(reused_here_entry['full']),
             'name': reused_here_entry['schema_name'],
-            'short': reused_here_entry['short']
+            'short': reused_here_entry['short'],
+            'beta': reused_here_entry.get('beta', '')
         })
 
     return sorted(rows, key=lambda x: x['flat_nesting'])
diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py
index 801319854c..086f4d592d 100644
--- a/scripts/generators/ecs_helpers.py
+++ b/scripts/generators/ecs_helpers.py
@@ -189,5 +189,5 @@ def strict_warning(msg):
     :param msg: custom text which will be displayed with wrapped boilerplate
                 for strict warning messages.
     """
-    warn_message = f"{msg}\n\nThis will cause an exception when running in strict mode."
-    warnings.warn(warn_message)
+    warn_message = f"{msg}\n\nThis will cause an exception when running in strict mode.\nWarning check:"
+    warnings.warn(warn_message, stacklevel=3)
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index 185d0abedc..83f2d15933 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -76,6 +76,8 @@ def schema_mandatory_attributes(schema):
 def schema_assertions_and_warnings(schema):
     '''Additional checks on a fleshed out schema'''
     single_line_short_description(schema, strict=strict_mode)
+    if 'beta' in schema['field_details']:
+        single_line_beta_description(schema, strict=strict_mode)
 
 
 def normalize_reuse_notation(schema):
@@ -181,6 +183,8 @@ def field_assertions_and_warnings(field):
         # check short description length if in strict mode
         single_line_short_description(field, strict=strict_mode)
         check_example_value(field, strict=strict_mode)
+        if 'beta' in field['field_details']:
+            single_line_beta_description(field, strict=strict_mode)
         if field['field_details']['level'] not in ACCEPTABLE_FIELD_LEVELS:
             msg = "Invalid level for field '{}'.\nValue: {}\nAcceptable values: {}".format(
                 field['field_details']['name'], field['field_details']['level'],
@@ -220,3 +224,13 @@ def check_example_value(field, strict=True):
             raise ValueError(msg)
         else:
             ecs_helpers.strict_warning(msg)
+
+
+def single_line_beta_description(schema_or_field, strict=True):
+    if "\n" in schema_or_field['field_details']['beta']:
+        msg = "Beta descriptions must be single line.\n"
+        msg += f"Offending field or field set: {schema_or_field['field_details']['name']}"
+        if strict:
+            raise ValueError(msg)
+        else:
+            ecs_helpers.strict_warning(msg)
diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py
index 3d1c7202b2..d1b4928507 100644
--- a/scripts/schema/finalizer.py
+++ b/scripts/schema/finalizer.py
@@ -128,6 +128,9 @@ def append_reused_here(reused_schema, reuse_entry, destination_schema):
         'full': reuse_entry['full'],
         'short': reused_schema['field_details']['short'],
     }
+    # Check for beta attribute
+    if 'beta' in reuse_entry:
+        reused_here_entry['beta'] = reuse_entry['beta']
     destination_schema['schema_details']['reused_here'].extend([reused_here_entry])
 
 
diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2
index 3eef363fa8..643c2ccf5d 100644
--- a/scripts/templates/field_details.j2
+++ b/scripts/templates/field_details.j2
@@ -10,6 +10,13 @@ Find additional usage and examples in the {{ fieldset['name'] }} fields <<ecs-{{
 
 {% endif %}
 
+{# Fieldset label beta header -#}
+{% if fieldset['beta'] -%}
+
+beta::[ {{ fieldset['beta'] }}]
+
+{% endif -%}
+
 {# Field Details Table Header -#}
 [discrete]
 ==== {{ fieldset['title'] }} Field Details
@@ -27,7 +34,14 @@ Find additional usage and examples in the {{ fieldset['name'] }} fields <<ecs-{{
 {# `Field` column -#}
 | {{ field['flat_name'] }}
 {# `Description` column -#}
+{#- Beta fields will add the `beta` label -#}
+{% if field['beta'] -%}
+| beta:[ {{ field['beta'] }} ]
+
+{{ field['description']|replace("\n", "\n\n") }}
+{%- else -%}
 | {{ field['description']|replace("\n", "\n\n") }}
+{%- endif %}
 
 type: {{ field['type'] }}
 
@@ -108,8 +122,16 @@ Note also that the `{{ fieldset['name'] }}` fields are not expected to be used d
 
 {% for entry in render_nestings_reuse_section -%}
 
+{#- Beta marker on nested fields -#}
 | <<ecs-{{ entry['name'] }},{{ entry['flat_nesting'] }}>>
+{#- Beta marker on nested fields -#}
+{%- if entry['beta'] -%}
+| beta:[ {{ entry['beta'] }}]
+
+{{ entry['short'] }}
+{%- else %}
 | {{ entry['short'] }}
+{%- endif %}
 
 // ===============================================================
 
diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py
index 8a193a0454..cea5c01e6d 100644
--- a/scripts/tests/unit/test_schema_finalizer.py
+++ b/scripts/tests/unit/test_schema_finalizer.py
@@ -92,7 +92,7 @@ def schema_user(self):
                         'order': 2,
                         'expected': [
                             {'full': 'server.user', 'at': 'server', 'as': 'user'},
-                            {'full': 'user.target', 'at': 'user', 'as': 'target'},
+                            {'full': 'user.target', 'at': 'user', 'as': 'target', 'beta': 'Some beta notice'},
                             {'full': 'user.effective', 'at': 'user', 'as': 'effective'},
                         ]
                     }
@@ -211,7 +211,7 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self):
                       fields['process']['schema_details']['reused_here'])
         self.assertIn({'full': 'user.effective', 'schema_name': 'user', 'short': 'short desc'},
                       fields['user']['schema_details']['reused_here'])
-        self.assertIn({'full': 'user.target', 'schema_name': 'user', 'short': 'short desc'},
+        self.assertIn({'full': 'user.target', 'schema_name': 'user', 'short': 'short desc', 'beta': 'Some beta notice'},
                       fields['user']['schema_details']['reused_here'])
         self.assertIn({'full': 'server.user', 'schema_name': 'user', 'short': 'short desc'},
                       fields['server']['schema_details']['reused_here'])

From 2026cd98fff22ddc779c72150c6c4f02dbbd34fd Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 19 Nov 2020 12:54:38 -0500
Subject: [PATCH 47/90] [1.x] Backport #1134 and #1135 (#1136)

* Remove temporary ifeval in "getting started" page, add link to Metrics docs (#1134)
* Remove temporary ifeval from products page, add link to Metrics (#1135)
---
 docs/products-solutions.asciidoc    | 6 +-----
 docs/using-getting-started.asciidoc | 6 +-----
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc
index 945653779f..33b03ab7d2 100644
--- a/docs/products-solutions.asciidoc
+++ b/docs/products-solutions.asciidoc
@@ -9,14 +9,10 @@ The following Elastic products support ECS out of the box, as of version 7.0:
 ** {security-guide}/siem-field-reference.html[Elastic Security Field Reference] - a list of ECS fields used in the SIEM app
 * https://www.elastic.co/products/endpoint-security[Elastic Endpoint Security
 Server]
-ifeval::["{branch}"=="7.9"]
-* {logs-guide}/logs-app-overview.html[Log Monitoring]
-endif::[]
-ifeval::["{branch}"!="7.9"]
 * {observability-guide}/monitor-logs.html[Log Monitoring]
-endif::[]
 * Log formatters that support ECS out of the box for various languages can be found
   https://github.com/elastic/ecs-logging/blob/master/README.md[here].
+* {observability-guide}/analyze-metrics.html[Metrics Monitoring]
 
 // TODO Insert community & partner solutions here
 
diff --git a/docs/using-getting-started.asciidoc b/docs/using-getting-started.asciidoc
index c81521a783..ff19f84840 100644
--- a/docs/using-getting-started.asciidoc
+++ b/docs/using-getting-started.asciidoc
@@ -285,10 +285,6 @@ Here are some examples of additional fields processed by metadata or parser proc
 We've covered at a high level how to map your events to ECS. Now if you'd like your events to render well in the Elastic
 solutions, check out the reference guides below to learn more about each:
 
-ifeval::["{branch}"=="7.9"]
-* {logs-guide}/logs-fields-reference.html[Log Monitoring Field Reference]
-endif::[]
-ifeval::["{branch}"!="7.9"]
 * {observability-guide}/logs-app-fields.html[Log Monitoring Field Reference]
-endif::[]
+* {observability-guide}/metrics-app-fields.html[Metrics Monitoring Field Reference]
 * {security-guide}/siem-field-reference.html[Elastic Security Field Reference]

From 12e8827c60972a03c8e599b49d23024417a00fc6 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 25 Nov 2020 11:07:14 -0500
Subject: [PATCH 48/90] Two small documentation backports (#1149)

* Remove an incorrect `event.type` from the 'converting' page (#1146)
* Mention Logstash support for ECS in the 'products' page (#1147)
---
 docs/converting.asciidoc         | 6 ++++--
 docs/products-solutions.asciidoc | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/converting.asciidoc b/docs/converting.asciidoc
index b4edd76e1d..3a7fdfd72e 100644
--- a/docs/converting.asciidoc
+++ b/docs/converting.asciidoc
@@ -35,8 +35,10 @@ Here's the recommended approach for converting an existing implementation to {ec
 
   - Review your original event data again
   - Consider populating the field based on additional meta-data such as static
-    information (e.g. add `event.type:syslog` even if syslog events don't mention this fact),
-    or information gathered from the environment (e.g. host information).
+    information (e.g. add `event.category:authentication` even if your auth events
+    don't mention the word "authentication")
+  - Consider capturing additional environment meta-data, such as information about the
+    host, container or cloud instance.
 
 . Review other extended fields from any field set you are already using, and
   attempt to populate it as well.
diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc
index 33b03ab7d2..277c8ca910 100644
--- a/docs/products-solutions.asciidoc
+++ b/docs/products-solutions.asciidoc
@@ -13,6 +13,7 @@ Server]
 * Log formatters that support ECS out of the box for various languages can be found
   https://github.com/elastic/ecs-logging/blob/master/README.md[here].
 * {observability-guide}/analyze-metrics.html[Metrics Monitoring]
+* {ls}' {es} output has an {logstash-ref}/plugins-outputs-elasticsearch.html#_compatibility_with_the_elastic_common_schema_ecs[ECS compatibility mode]
 
 // TODO Insert community & partner solutions here
 

From cf28a279ca89a83151af7a6f0046a37a758072c2 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 25 Nov 2020 16:02:54 -0500
Subject: [PATCH 49/90] [1.x] Reinforce the exclusion of the leading dot from
 url.extension (#1151) (#1152)

---
 code/go/ecs/url.go                          |  5 ++++-
 docs/field-details.asciidoc                 |  4 +++-
 experimental/generated/beats/fields.ecs.yml |  7 +++++--
 experimental/generated/csv/fields.csv       |  2 +-
 experimental/generated/ecs/ecs_flat.yml     | 10 +++++++---
 experimental/generated/ecs/ecs_nested.yml   |  9 ++++++---
 generated/beats/fields.ecs.yml              |  7 +++++--
 generated/csv/fields.csv                    |  2 +-
 generated/ecs/ecs_flat.yml                  | 10 +++++++---
 generated/ecs/ecs_nested.yml                |  9 ++++++---
 schemas/url.yml                             |  8 ++++++--
 11 files changed, 51 insertions(+), 22 deletions(-)

diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go
index 6c1ac3be75..ec00f75914 100644
--- a/code/go/ecs/url.go
+++ b/code/go/ecs/url.go
@@ -87,11 +87,14 @@ type Url struct {
 	// differentiate between the two cases.
 	Query string `ecs:"query"`
 
-	// The field contains the file extension from the original request url.
+	// The field contains the file extension from the original request url,
+	// excluding the leading dot.
 	// The file extension is only set if it exists, as not every url has a file
 	// extension.
 	// The leading period must not be included. For example, the value must be
 	// "png", not ".png".
+	// Note that when the file name has multiple extensions (example.tar.gz),
+	// only the last one should be captured ("gz", not "tar.gz").
 	Extension string `ecs:"extension"`
 
 	// Portion of the url after the `#`, such as "top".
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index ae14752657..0303cb6e5b 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -6247,12 +6247,14 @@ example: `www.elastic.co`
 // ===============================================================
 
 | url.extension
-| The field contains the file extension from the original request url.
+| The field contains the file extension from the original request url, excluding the leading dot.
 
 The file extension is only set if it exists, as not every url has a file extension.
 
 The leading period must not be included. For example, the value must be "png", not ".png".
 
+Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
 type: keyword
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index e148421e5a..15f8b78a38 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5269,12 +5269,15 @@
       type: keyword
       ignore_above: 1024
       description: 'The field contains the file extension from the original request
-        url.
+        url, excluding the leading dot.
 
         The file extension is only set if it exists, as not every url has a file extension.
 
         The leading period must not be included. For example, the value must be "png",
-        not ".png".'
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
     - name: fragment
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 9e24de5181..2c83d5823d 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -631,7 +631,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
 1.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
 1.8.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
-1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
 1.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
 1.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
 1.8.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 5aefba80d3..12da870f3a 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8037,19 +8037,23 @@ url.domain:
   type: wildcard
 url.extension:
   dashed_name: url-extension
-  description: 'The field contains the file extension from the original request url.
+  description: 'The field contains the file extension from the original request url,
+    excluding the leading dot.
 
     The file extension is only set if it exists, as not every url has a file extension.
 
     The leading period must not be included. For example, the value must be "png",
-    not ".png".'
+    not ".png".
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
   example: png
   flat_name: url.extension
   ignore_above: 1024
   level: extended
   name: extension
   normalize: []
-  short: File extension from the original request url.
+  short: File extension from the request url, excluding the leading dot.
   type: keyword
 url.fragment:
   dashed_name: url-fragment
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 977a5c2232..84f21b05b8 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9302,19 +9302,22 @@ url:
     url.extension:
       dashed_name: url-extension
       description: 'The field contains the file extension from the original request
-        url.
+        url, excluding the leading dot.
 
         The file extension is only set if it exists, as not every url has a file extension.
 
         The leading period must not be included. For example, the value must be "png",
-        not ".png".'
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
       flat_name: url.extension
       ignore_above: 1024
       level: extended
       name: extension
       normalize: []
-      short: File extension from the original request url.
+      short: File extension from the request url, excluding the leading dot.
       type: keyword
     url.fragment:
       dashed_name: url-fragment
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 70ccffc264..d0f31c1f43 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5357,12 +5357,15 @@
       type: keyword
       ignore_above: 1024
       description: 'The field contains the file extension from the original request
-        url.
+        url, excluding the leading dot.
 
         The file extension is only set if it exists, as not every url has a file extension.
 
         The leading period must not be included. For example, the value must be "png",
-        not ".png".'
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
     - name: fragment
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 96637a3f4c..a8fc2c7e04 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -631,7 +631,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
 1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
 1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url.
+1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
 1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
 1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
 1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 78ef1eaec8..a4b7a0450b 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8121,19 +8121,23 @@ url.domain:
   type: keyword
 url.extension:
   dashed_name: url-extension
-  description: 'The field contains the file extension from the original request url.
+  description: 'The field contains the file extension from the original request url,
+    excluding the leading dot.
 
     The file extension is only set if it exists, as not every url has a file extension.
 
     The leading period must not be included. For example, the value must be "png",
-    not ".png".'
+    not ".png".
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
   example: png
   flat_name: url.extension
   ignore_above: 1024
   level: extended
   name: extension
   normalize: []
-  short: File extension from the original request url.
+  short: File extension from the request url, excluding the leading dot.
   type: keyword
 url.fragment:
   dashed_name: url-fragment
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 1352e844e5..72bea8756d 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9391,19 +9391,22 @@ url:
     url.extension:
       dashed_name: url-extension
       description: 'The field contains the file extension from the original request
-        url.
+        url, excluding the leading dot.
 
         The file extension is only set if it exists, as not every url has a file extension.
 
         The leading period must not be included. For example, the value must be "png",
-        not ".png".'
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
       example: png
       flat_name: url.extension
       ignore_above: 1024
       level: extended
       name: extension
       normalize: []
-      short: File extension from the original request url.
+      short: File extension from the request url, excluding the leading dot.
       type: keyword
     url.fragment:
       dashed_name: url-fragment
diff --git a/schemas/url.yml b/schemas/url.yml
index 8a523fbc8d..0253f316e8 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -133,13 +133,17 @@
     - name: extension
       level: extended
       type: keyword
-      short: File extension from the original request url.
+      short: File extension from the request url, excluding the leading dot.
       description: >
-        The field contains the file extension from the original request url.
+        The field contains the file extension from the original request url,
+        excluding the leading dot.
 
         The file extension is only set if it exists, as not every url has a file extension.
 
         The leading period must not be included. For example, the value must be "png", not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz),
+        only the last one should be captured ("gz", not "tar.gz").
       example: png
 
     - name: fragment

From b7f63a750e0b41f463014fb8ccf51a3bea2ebd63 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 26 Nov 2020 09:24:15 -0500
Subject: [PATCH 50/90] [1.x] Make all fields linkable directly via an HTML ID
 (#1148) (#1154)

---
 docs/field-details.asciidoc                 | 2045 +++++++++++++++----
 experimental/generated/ecs/ecs_flat.yml     |    2 +-
 experimental/generated/ecs/ecs_nested.yml   |    2 +-
 generated/ecs/ecs_flat.yml                  |    2 +-
 generated/ecs/ecs_nested.yml                |    2 +-
 scripts/schema/finalizer.py                 |    2 +-
 scripts/templates/field_details.j2          |    5 +-
 scripts/tests/unit/test_schema_finalizer.py |    4 +-
 8 files changed, 1647 insertions(+), 417 deletions(-)

diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 0303cb6e5b..0d41f4462c 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -12,7 +12,10 @@ The `base` field set contains all fields which are at the root of the events. Th
 
 // ===============================================================
 
-| @timestamp
+|
+[[field-timestamp]]
+<<field-timestamp, @timestamp>>
+
 | Date/time when the event originated.
 
 This is the date/time extracted from the event, typically representing when the event was generated by the source.
@@ -31,7 +34,10 @@ example: `2016-05-23T08:05:34.853Z`
 
 // ===============================================================
 
-| labels
+|
+[[field-labels]]
+<<field-labels, labels>>
+
 | Custom key/value pairs.
 
 Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
@@ -48,7 +54,10 @@ example: `{"application": "foo-bar", "env": "production"}`
 
 // ===============================================================
 
-| message
+|
+[[field-message]]
+<<field-message, message>>
+
 | For log events the message field contains the log message, optimized for viewing in a log viewer.
 
 For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
@@ -65,7 +74,10 @@ example: `Hello World`
 
 // ===============================================================
 
-| tags
+|
+[[field-tags]]
+<<field-tags, tags>>
+
 | List of keywords used to tag each event.
 
 type: keyword
@@ -99,7 +111,10 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha
 
 // ===============================================================
 
-| agent.build.original
+|
+[[field-agent-build-original]]
+<<field-agent-build-original, agent.build.original>>
+
 | Extended build information for the agent.
 
 This field is intended to contain any build information that a data source may provide, no specific formatting is required.
@@ -114,7 +129,10 @@ example: `metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344
 
 // ===============================================================
 
-| agent.ephemeral_id
+|
+[[field-agent-ephemeral-id]]
+<<field-agent-ephemeral-id, agent.ephemeral_id>>
+
 | Ephemeral identifier of this agent (if one exists).
 
 This id normally changes across restarts, but `agent.id` does not.
@@ -129,7 +147,10 @@ example: `8a4f500f`
 
 // ===============================================================
 
-| agent.id
+|
+[[field-agent-id]]
+<<field-agent-id, agent.id>>
+
 | Unique identifier of this agent (if one exists).
 
 Example: For Beats this would be beat.id.
@@ -144,7 +165,10 @@ example: `8a4f500d`
 
 // ===============================================================
 
-| agent.name
+|
+[[field-agent-name]]
+<<field-agent-name, agent.name>>
+
 | Custom name of the agent.
 
 This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
@@ -161,7 +185,10 @@ example: `foo`
 
 // ===============================================================
 
-| agent.type
+|
+[[field-agent-type]]
+<<field-agent-type, agent.type>>
+
 | Type of the agent.
 
 The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
@@ -176,7 +203,10 @@ example: `filebeat`
 
 // ===============================================================
 
-| agent.version
+|
+[[field-agent-version]]
+<<field-agent-version, agent.version>>
+
 | Version of the agent.
 
 type: keyword
@@ -205,7 +235,10 @@ An autonomous system (AS) is a collection of connected Internet Protocol (IP) ro
 
 // ===============================================================
 
-| as.number
+|
+[[field-as-number]]
+<<field-as-number, as.number>>
+
 | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
 
 type: long
@@ -218,7 +251,10 @@ example: `15169`
 
 // ===============================================================
 
-| as.organization.name
+|
+[[field-as-organization-name]]
+<<field-as-organization-name, as.organization.name>>
+
 | Organization name.
 
 type: keyword
@@ -267,7 +303,10 @@ Client / server representations can add semantic context to an exchange, which i
 
 // ===============================================================
 
-| client.address
+|
+[[field-client-address]]
+<<field-client-address, client.address>>
+
 | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
 
 Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
@@ -282,7 +321,10 @@ type: keyword
 
 // ===============================================================
 
-| client.bytes
+|
+[[field-client-bytes]]
+<<field-client-bytes, client.bytes>>
+
 | Bytes sent from the client to the server.
 
 type: long
@@ -295,7 +337,10 @@ example: `184`
 
 // ===============================================================
 
-| client.domain
+|
+[[field-client-domain]]
+<<field-client-domain, client.domain>>
+
 | Client domain.
 
 type: keyword
@@ -308,7 +353,10 @@ type: keyword
 
 // ===============================================================
 
-| client.ip
+|
+[[field-client-ip]]
+<<field-client-ip, client.ip>>
+
 | IP address of the client (IPv4 or IPv6).
 
 type: ip
@@ -321,7 +369,10 @@ type: ip
 
 // ===============================================================
 
-| client.mac
+|
+[[field-client-mac]]
+<<field-client-mac, client.mac>>
+
 | MAC address of the client.
 
 type: keyword
@@ -334,7 +385,10 @@ type: keyword
 
 // ===============================================================
 
-| client.nat.ip
+|
+[[field-client-nat-ip]]
+<<field-client-nat-ip, client.nat.ip>>
+
 | Translated IP of source based NAT sessions (e.g. internal client to internet).
 
 Typically connections traversing load balancers, firewalls, or routers.
@@ -349,7 +403,10 @@ type: ip
 
 // ===============================================================
 
-| client.nat.port
+|
+[[field-client-nat-port]]
+<<field-client-nat-port, client.nat.port>>
+
 | Translated port of source based NAT sessions (e.g. internal client to internet).
 
 Typically connections traversing load balancers, firewalls, or routers.
@@ -364,7 +421,10 @@ type: long
 
 // ===============================================================
 
-| client.packets
+|
+[[field-client-packets]]
+<<field-client-packets, client.packets>>
+
 | Packets sent from the client to the server.
 
 type: long
@@ -377,7 +437,10 @@ example: `12`
 
 // ===============================================================
 
-| client.port
+|
+[[field-client-port]]
+<<field-client-port, client.port>>
+
 | Port of the client.
 
 type: long
@@ -390,7 +453,10 @@ type: long
 
 // ===============================================================
 
-| client.registered_domain
+|
+[[field-client-registered-domain]]
+<<field-client-registered-domain, client.registered_domain>>
+
 | The highest registered client domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
@@ -407,7 +473,10 @@ example: `example.com`
 
 // ===============================================================
 
-| client.subdomain
+|
+[[field-client-subdomain]]
+<<field-client-subdomain, client.subdomain>>
+
 | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
 
 For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
@@ -422,7 +491,10 @@ example: `east`
 
 // ===============================================================
 
-| client.top_level_domain
+|
+[[field-client-top-level-domain]]
+<<field-client-top-level-domain, client.top_level_domain>>
+
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
@@ -490,7 +562,10 @@ Fields related to the cloud or infrastructure the events are coming from.
 
 // ===============================================================
 
-| cloud.account.id
+|
+[[field-cloud-account-id]]
+<<field-cloud-account-id, cloud.account.id>>
+
 | The cloud account or organization id used to identify different entities in a multi-tenant environment.
 
 Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
@@ -505,7 +580,10 @@ example: `666777888999`
 
 // ===============================================================
 
-| cloud.account.name
+|
+[[field-cloud-account-name]]
+<<field-cloud-account-name, cloud.account.name>>
+
 | The cloud account name or alias used to identify different entities in a multi-tenant environment.
 
 Examples: AWS account name, Google Cloud ORG display name.
@@ -520,7 +598,10 @@ example: `elastic-dev`
 
 // ===============================================================
 
-| cloud.availability_zone
+|
+[[field-cloud-availability-zone]]
+<<field-cloud-availability-zone, cloud.availability_zone>>
+
 | Availability zone in which this host is running.
 
 type: keyword
@@ -533,7 +614,10 @@ example: `us-east-1c`
 
 // ===============================================================
 
-| cloud.instance.id
+|
+[[field-cloud-instance-id]]
+<<field-cloud-instance-id, cloud.instance.id>>
+
 | Instance ID of the host machine.
 
 type: keyword
@@ -546,7 +630,10 @@ example: `i-1234567890abcdef0`
 
 // ===============================================================
 
-| cloud.instance.name
+|
+[[field-cloud-instance-name]]
+<<field-cloud-instance-name, cloud.instance.name>>
+
 | Instance name of the host machine.
 
 type: keyword
@@ -559,7 +646,10 @@ type: keyword
 
 // ===============================================================
 
-| cloud.machine.type
+|
+[[field-cloud-machine-type]]
+<<field-cloud-machine-type, cloud.machine.type>>
+
 | Machine type of the host machine.
 
 type: keyword
@@ -572,7 +662,10 @@ example: `t2.medium`
 
 // ===============================================================
 
-| cloud.project.id
+|
+[[field-cloud-project-id]]
+<<field-cloud-project-id, cloud.project.id>>
+
 | The cloud project identifier.
 
 Examples: Google Cloud Project id, Azure Project id.
@@ -587,7 +680,10 @@ example: `my-project`
 
 // ===============================================================
 
-| cloud.project.name
+|
+[[field-cloud-project-name]]
+<<field-cloud-project-name, cloud.project.name>>
+
 | The cloud project name.
 
 Examples: Google Cloud Project name, Azure Project name.
@@ -602,7 +698,10 @@ example: `my project`
 
 // ===============================================================
 
-| cloud.provider
+|
+[[field-cloud-provider]]
+<<field-cloud-provider, cloud.provider>>
+
 | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
 
 type: keyword
@@ -615,7 +714,10 @@ example: `aws`
 
 // ===============================================================
 
-| cloud.region
+|
+[[field-cloud-region]]
+<<field-cloud-region, cloud.region>>
+
 | Region in which this host is running.
 
 type: keyword
@@ -644,7 +746,10 @@ These fields contain information about binary code signatures.
 
 // ===============================================================
 
-| code_signature.exists
+|
+[[field-code-signature-exists]]
+<<field-code-signature-exists, code_signature.exists>>
+
 | Boolean to capture if a signature is present.
 
 type: boolean
@@ -657,7 +762,10 @@ example: `true`
 
 // ===============================================================
 
-| code_signature.status
+|
+[[field-code-signature-status]]
+<<field-code-signature-status, code_signature.status>>
+
 | Additional information about the certificate status.
 
 This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
@@ -672,7 +780,10 @@ example: `ERROR_UNTRUSTED_ROOT`
 
 // ===============================================================
 
-| code_signature.subject_name
+|
+[[field-code-signature-subject-name]]
+<<field-code-signature-subject-name, code_signature.subject_name>>
+
 | Subject name of the code signer
 
 type: keyword
@@ -685,7 +796,10 @@ example: `Microsoft Corporation`
 
 // ===============================================================
 
-| code_signature.trusted
+|
+[[field-code-signature-trusted]]
+<<field-code-signature-trusted, code_signature.trusted>>
+
 | Stores the trust status of the certificate chain.
 
 Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
@@ -700,7 +814,10 @@ example: `true`
 
 // ===============================================================
 
-| code_signature.valid
+|
+[[field-code-signature-valid]]
+<<field-code-signature-valid, code_signature.valid>>
+
 | Boolean to capture if the digital signature is verified against the binary content.
 
 Leave unpopulated if a certificate was unchecked.
@@ -743,7 +860,10 @@ These fields help correlate data based containers from any runtime.
 
 // ===============================================================
 
-| container.id
+|
+[[field-container-id]]
+<<field-container-id, container.id>>
+
 | Unique container id.
 
 type: keyword
@@ -756,7 +876,10 @@ type: keyword
 
 // ===============================================================
 
-| container.image.name
+|
+[[field-container-image-name]]
+<<field-container-image-name, container.image.name>>
+
 | Name of the image the container was built on.
 
 type: keyword
@@ -769,7 +892,10 @@ type: keyword
 
 // ===============================================================
 
-| container.image.tag
+|
+[[field-container-image-tag]]
+<<field-container-image-tag, container.image.tag>>
+
 | Container image tags.
 
 type: keyword
@@ -785,7 +911,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| container.labels
+|
+[[field-container-labels]]
+<<field-container-labels, container.labels>>
+
 | Image labels.
 
 type: object
@@ -798,7 +927,10 @@ type: object
 
 // ===============================================================
 
-| container.name
+|
+[[field-container-name]]
+<<field-container-name, container.name>>
+
 | Container name.
 
 type: keyword
@@ -811,7 +943,10 @@ type: keyword
 
 // ===============================================================
 
-| container.runtime
+|
+[[field-container-runtime]]
+<<field-container-runtime, container.runtime>>
+
 | Runtime managing this container.
 
 type: keyword
@@ -842,7 +977,10 @@ Destination fields are usually populated in conjunction with source fields. The
 
 // ===============================================================
 
-| destination.address
+|
+[[field-destination-address]]
+<<field-destination-address, destination.address>>
+
 | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
 
 Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
@@ -857,7 +995,10 @@ type: keyword
 
 // ===============================================================
 
-| destination.bytes
+|
+[[field-destination-bytes]]
+<<field-destination-bytes, destination.bytes>>
+
 | Bytes sent from the destination to the source.
 
 type: long
@@ -870,7 +1011,10 @@ example: `184`
 
 // ===============================================================
 
-| destination.domain
+|
+[[field-destination-domain]]
+<<field-destination-domain, destination.domain>>
+
 | Destination domain.
 
 type: keyword
@@ -883,7 +1027,10 @@ type: keyword
 
 // ===============================================================
 
-| destination.ip
+|
+[[field-destination-ip]]
+<<field-destination-ip, destination.ip>>
+
 | IP address of the destination (IPv4 or IPv6).
 
 type: ip
@@ -896,7 +1043,10 @@ type: ip
 
 // ===============================================================
 
-| destination.mac
+|
+[[field-destination-mac]]
+<<field-destination-mac, destination.mac>>
+
 | MAC address of the destination.
 
 type: keyword
@@ -909,7 +1059,10 @@ type: keyword
 
 // ===============================================================
 
-| destination.nat.ip
+|
+[[field-destination-nat-ip]]
+<<field-destination-nat-ip, destination.nat.ip>>
+
 | Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
 
 Typically used with load balancers, firewalls, or routers.
@@ -924,7 +1077,10 @@ type: ip
 
 // ===============================================================
 
-| destination.nat.port
+|
+[[field-destination-nat-port]]
+<<field-destination-nat-port, destination.nat.port>>
+
 | Port the source session is translated to by NAT Device.
 
 Typically used with load balancers, firewalls, or routers.
@@ -939,7 +1095,10 @@ type: long
 
 // ===============================================================
 
-| destination.packets
+|
+[[field-destination-packets]]
+<<field-destination-packets, destination.packets>>
+
 | Packets sent from the destination to the source.
 
 type: long
@@ -952,7 +1111,10 @@ example: `12`
 
 // ===============================================================
 
-| destination.port
+|
+[[field-destination-port]]
+<<field-destination-port, destination.port>>
+
 | Port of the destination.
 
 type: long
@@ -965,7 +1127,10 @@ type: long
 
 // ===============================================================
 
-| destination.registered_domain
+|
+[[field-destination-registered-domain]]
+<<field-destination-registered-domain, destination.registered_domain>>
+
 | The highest registered destination domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
@@ -982,7 +1147,10 @@ example: `example.com`
 
 // ===============================================================
 
-| destination.subdomain
+|
+[[field-destination-subdomain]]
+<<field-destination-subdomain, destination.subdomain>>
+
 | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
 
 For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
@@ -997,7 +1165,10 @@ example: `east`
 
 // ===============================================================
 
-| destination.top_level_domain
+|
+[[field-destination-top-level-domain]]
+<<field-destination-top-level-domain, destination.top_level_domain>>
+
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
@@ -1075,7 +1246,10 @@ Many operating systems refer to "shared code libraries" with different names, bu
 
 // ===============================================================
 
-| dll.name
+|
+[[field-dll-name]]
+<<field-dll-name, dll.name>>
+
 | Name of the library.
 
 This generally maps to the name of the file on disk.
@@ -1090,7 +1264,10 @@ example: `kernel32.dll`
 
 // ===============================================================
 
-| dll.path
+|
+[[field-dll-path]]
+<<field-dll-path, dll.path>>
+
 | Full file path of the library.
 
 type: keyword
@@ -1158,7 +1335,10 @@ DNS events should either represent a single DNS query prior to getting answers (
 
 // ===============================================================
 
-| dns.answers
+|
+[[field-dns-answers]]
+<<field-dns-answers, dns.answers>>
+
 | An array containing an object for each answer section returned by the server.
 
 The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
@@ -1178,7 +1358,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| dns.answers.class
+|
+[[field-dns-answers-class]]
+<<field-dns-answers-class, dns.answers.class>>
+
 | The class of DNS data contained in this resource record.
 
 type: keyword
@@ -1191,7 +1374,10 @@ example: `IN`
 
 // ===============================================================
 
-| dns.answers.data
+|
+[[field-dns-answers-data]]
+<<field-dns-answers-data, dns.answers.data>>
+
 | The data describing the resource.
 
 The meaning of this data depends on the type and class of the resource record.
@@ -1206,7 +1392,10 @@ example: `10.10.10.10`
 
 // ===============================================================
 
-| dns.answers.name
+|
+[[field-dns-answers-name]]
+<<field-dns-answers-name, dns.answers.name>>
+
 | The domain name to which this resource record pertains.
 
 If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
@@ -1221,7 +1410,10 @@ example: `www.example.com`
 
 // ===============================================================
 
-| dns.answers.ttl
+|
+[[field-dns-answers-ttl]]
+<<field-dns-answers-ttl, dns.answers.ttl>>
+
 | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
 
 type: long
@@ -1234,7 +1426,10 @@ example: `180`
 
 // ===============================================================
 
-| dns.answers.type
+|
+[[field-dns-answers-type]]
+<<field-dns-answers-type, dns.answers.type>>
+
 | The type of data contained in this resource record.
 
 type: keyword
@@ -1247,7 +1442,10 @@ example: `CNAME`
 
 // ===============================================================
 
-| dns.header_flags
+|
+[[field-dns-header-flags]]
+<<field-dns-header-flags, dns.header_flags>>
+
 | Array of 2 letter DNS header flags.
 
 Expected values are: AA, TC, RD, RA, AD, CD, DO.
@@ -1265,7 +1463,10 @@ example: `["RD", "RA"]`
 
 // ===============================================================
 
-| dns.id
+|
+[[field-dns-id]]
+<<field-dns-id, dns.id>>
+
 | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
 
 type: keyword
@@ -1278,7 +1479,10 @@ example: `62111`
 
 // ===============================================================
 
-| dns.op_code
+|
+[[field-dns-op-code]]
+<<field-dns-op-code, dns.op_code>>
+
 | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
 
 type: keyword
@@ -1291,7 +1495,10 @@ example: `QUERY`
 
 // ===============================================================
 
-| dns.question.class
+|
+[[field-dns-question-class]]
+<<field-dns-question-class, dns.question.class>>
+
 | The class of records being queried.
 
 type: keyword
@@ -1304,7 +1511,10 @@ example: `IN`
 
 // ===============================================================
 
-| dns.question.name
+|
+[[field-dns-question-name]]
+<<field-dns-question-name, dns.question.name>>
+
 | The name being queried.
 
 If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
@@ -1319,7 +1529,10 @@ example: `www.example.com`
 
 // ===============================================================
 
-| dns.question.registered_domain
+|
+[[field-dns-question-registered-domain]]
+<<field-dns-question-registered-domain, dns.question.registered_domain>>
+
 | The highest registered domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
@@ -1336,7 +1549,10 @@ example: `example.com`
 
 // ===============================================================
 
-| dns.question.subdomain
+|
+[[field-dns-question-subdomain]]
+<<field-dns-question-subdomain, dns.question.subdomain>>
+
 | The subdomain is all of the labels under the registered_domain.
 
 If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
@@ -1351,7 +1567,10 @@ example: `www`
 
 // ===============================================================
 
-| dns.question.top_level_domain
+|
+[[field-dns-question-top-level-domain]]
+<<field-dns-question-top-level-domain, dns.question.top_level_domain>>
+
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
@@ -1366,7 +1585,10 @@ example: `co.uk`
 
 // ===============================================================
 
-| dns.question.type
+|
+[[field-dns-question-type]]
+<<field-dns-question-type, dns.question.type>>
+
 | The type of record being queried.
 
 type: keyword
@@ -1379,7 +1601,10 @@ example: `AAAA`
 
 // ===============================================================
 
-| dns.resolved_ip
+|
+[[field-dns-resolved-ip]]
+<<field-dns-resolved-ip, dns.resolved_ip>>
+
 | Array containing all IPs seen in `answers.data`.
 
 The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
@@ -1397,7 +1622,10 @@ example: `["10.10.10.10", "10.10.10.11"]`
 
 // ===============================================================
 
-| dns.response_code
+|
+[[field-dns-response-code]]
+<<field-dns-response-code, dns.response_code>>
+
 | The DNS response code.
 
 type: keyword
@@ -1410,7 +1638,10 @@ example: `NOERROR`
 
 // ===============================================================
 
-| dns.type
+|
+[[field-dns-type]]
+<<field-dns-type, dns.type>>
+
 | The type of DNS event captured, query or answer.
 
 If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
@@ -1443,7 +1674,10 @@ Meta-information specific to ECS.
 
 // ===============================================================
 
-| ecs.version
+|
+[[field-ecs-version]]
+<<field-ecs-version, ecs.version>>
+
 | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
 
 When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
@@ -1476,7 +1710,10 @@ Use them for errors that happen while fetching events or in cases where the even
 
 // ===============================================================
 
-| error.code
+|
+[[field-error-code]]
+<<field-error-code, error.code>>
+
 | Error code describing the error.
 
 type: keyword
@@ -1489,7 +1726,10 @@ type: keyword
 
 // ===============================================================
 
-| error.id
+|
+[[field-error-id]]
+<<field-error-id, error.id>>
+
 | Unique identifier for the error.
 
 type: keyword
@@ -1502,7 +1742,10 @@ type: keyword
 
 // ===============================================================
 
-| error.message
+|
+[[field-error-message]]
+<<field-error-message, error.message>>
+
 | Error message.
 
 type: text
@@ -1515,7 +1758,10 @@ type: text
 
 // ===============================================================
 
-| error.stack_trace
+|
+[[field-error-stack-trace]]
+<<field-error-stack-trace, error.stack_trace>>
+
 | The stack trace of this error in plain text.
 
 type: keyword
@@ -1534,7 +1780,10 @@ Multi-fields:
 
 // ===============================================================
 
-| error.type
+|
+[[field-error-type]]
+<<field-error-type, error.type>>
+
 | The type of the error, for example the class name of the exception.
 
 type: keyword
@@ -1565,7 +1814,10 @@ A log is defined as an event containing details of something that happened. Log
 
 // ===============================================================
 
-| event.action
+|
+[[field-event-action]]
+<<field-event-action, event.action>>
+
 | The action captured by the event.
 
 This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
@@ -1580,7 +1832,10 @@ example: `user-password-change`
 
 // ===============================================================
 
-| event.category
+|
+[[field-event-category]]
+<<field-event-category, event.category>>
+
 | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
 
 `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
@@ -1607,7 +1862,10 @@ To learn more about when to use which value, visit the page
 
 // ===============================================================
 
-| event.code
+|
+[[field-event-code]]
+<<field-event-code, event.code>>
+
 | Identification code for this event, if one exists.
 
 Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
@@ -1622,7 +1880,10 @@ example: `4648`
 
 // ===============================================================
 
-| event.created
+|
+[[field-event-created]]
+<<field-event-created, event.created>>
+
 | event.created contains the date/time when the event was first read by an agent, or by your pipeline.
 
 This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
@@ -1641,7 +1902,10 @@ example: `2016-05-23T08:05:34.857Z`
 
 // ===============================================================
 
-| event.dataset
+|
+[[field-event-dataset]]
+<<field-event-dataset, event.dataset>>
+
 | Name of the dataset.
 
 If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.
@@ -1658,7 +1922,10 @@ example: `apache.access`
 
 // ===============================================================
 
-| event.duration
+|
+[[field-event-duration]]
+<<field-event-duration, event.duration>>
+
 | Duration of the event in nanoseconds.
 
 If event.start and event.end are known this value should be the difference between the end and start time.
@@ -1673,7 +1940,10 @@ type: long
 
 // ===============================================================
 
-| event.end
+|
+[[field-event-end]]
+<<field-event-end, event.end>>
+
 | event.end contains the date when the event ended or when the activity was last observed.
 
 type: date
@@ -1686,7 +1956,10 @@ type: date
 
 // ===============================================================
 
-| event.hash
+|
+[[field-event-hash]]
+<<field-event-hash, event.hash>>
+
 | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
 
 type: keyword
@@ -1699,7 +1972,10 @@ example: `123456789012345678901234567890ABCD`
 
 // ===============================================================
 
-| event.id
+|
+[[field-event-id]]
+<<field-event-id, event.id>>
+
 | Unique ID to describe the event.
 
 type: keyword
@@ -1712,7 +1988,10 @@ example: `8a4f500d`
 
 // ===============================================================
 
-| event.ingested
+|
+[[field-event-ingested]]
+<<field-event-ingested, event.ingested>>
+
 | Timestamp when an event arrived in the central data store.
 
 This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
@@ -1729,7 +2008,10 @@ example: `2016-05-23T08:05:35.101Z`
 
 // ===============================================================
 
-| event.kind
+|
+[[field-event-kind]]
+<<field-event-kind, event.kind>>
+
 | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
 
 `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
@@ -1753,7 +2035,10 @@ To learn more about when to use which value, visit the page
 
 // ===============================================================
 
-| event.module
+|
+[[field-event-module]]
+<<field-event-module, event.module>>
+
 | Name of the module this data is coming from.
 
 If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
@@ -1768,7 +2053,10 @@ example: `apache`
 
 // ===============================================================
 
-| event.original
+|
+[[field-event-original]]
+<<field-event-original, event.original>>
+
 | Raw text message of entire event. Used to demonstrate log integrity.
 
 This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.
@@ -1783,7 +2071,10 @@ example: `Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&
 
 // ===============================================================
 
-| event.outcome
+|
+[[field-event-outcome]]
+<<field-event-outcome, event.outcome>>
+
 | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
 
 `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
@@ -1811,7 +2102,10 @@ To learn more about when to use which value, visit the page
 
 // ===============================================================
 
-| event.provider
+|
+[[field-event-provider]]
+<<field-event-provider, event.provider>>
+
 | Source of the event.
 
 Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
@@ -1826,7 +2120,10 @@ example: `kernel`
 
 // ===============================================================
 
-| event.reason
+|
+[[field-event-reason]]
+<<field-event-reason, event.reason>>
+
 | Reason why this event happened, according to the source.
 
 This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
@@ -1841,7 +2138,10 @@ example: `Terminated an unexpected process`
 
 // ===============================================================
 
-| event.reference
+|
+[[field-event-reference]]
+<<field-event-reference, event.reference>>
+
 | Reference URL linking to additional information about this event.
 
 This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
@@ -1856,7 +2156,10 @@ example: `https://system.example.com/event/#0001234`
 
 // ===============================================================
 
-| event.risk_score
+|
+[[field-event-risk-score]]
+<<field-event-risk-score, event.risk_score>>
+
 | Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
 
 type: float
@@ -1869,7 +2172,10 @@ type: float
 
 // ===============================================================
 
-| event.risk_score_norm
+|
+[[field-event-risk-score-norm]]
+<<field-event-risk-score-norm, event.risk_score_norm>>
+
 | Normalized risk score or priority of the event, on a scale of 0 to 100.
 
 This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
@@ -1884,7 +2190,10 @@ type: float
 
 // ===============================================================
 
-| event.sequence
+|
+[[field-event-sequence]]
+<<field-event-sequence, event.sequence>>
+
 | Sequence number of the event.
 
 The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
@@ -1899,7 +2208,10 @@ type: long
 
 // ===============================================================
 
-| event.severity
+|
+[[field-event-severity]]
+<<field-event-severity, event.severity>>
+
 | The numeric severity of the event according to your event source.
 
 What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
@@ -1916,7 +2228,10 @@ example: `7`
 
 // ===============================================================
 
-| event.start
+|
+[[field-event-start]]
+<<field-event-start, event.start>>
+
 | event.start contains the date when the event started or when the activity was first observed.
 
 type: date
@@ -1929,7 +2244,10 @@ type: date
 
 // ===============================================================
 
-| event.timezone
+|
+[[field-event-timezone]]
+<<field-event-timezone, event.timezone>>
+
 | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
 
 Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
@@ -1944,7 +2262,10 @@ type: keyword
 
 // ===============================================================
 
-| event.type
+|
+[[field-event-type]]
+<<field-event-type, event.type>>
+
 | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
 
 `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
@@ -1971,7 +2292,10 @@ To learn more about when to use which value, visit the page
 
 // ===============================================================
 
-| event.url
+|
+[[field-event-url]]
+<<field-event-url, event.url>>
+
 | URL linking to an external system to continue investigation of this event.
 
 This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
@@ -2004,7 +2328,10 @@ File objects can be associated with host events, network events, and/or file eve
 
 // ===============================================================
 
-| file.accessed
+|
+[[field-file-accessed]]
+<<field-file-accessed, file.accessed>>
+
 | Last time the file was accessed.
 
 Note that not all filesystems keep track of access time.
@@ -2019,7 +2346,10 @@ type: date
 
 // ===============================================================
 
-| file.attributes
+|
+[[field-file-attributes]]
+<<field-file-attributes, file.attributes>>
+
 | Array of file attributes.
 
 Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
@@ -2037,7 +2367,10 @@ example: `["readonly", "system"]`
 
 // ===============================================================
 
-| file.created
+|
+[[field-file-created]]
+<<field-file-created, file.created>>
+
 | File creation time.
 
 Note that not all filesystems store the creation time.
@@ -2052,7 +2385,10 @@ type: date
 
 // ===============================================================
 
-| file.ctime
+|
+[[field-file-ctime]]
+<<field-file-ctime, file.ctime>>
+
 | Last time the file attributes or metadata changed.
 
 Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
@@ -2067,7 +2403,10 @@ type: date
 
 // ===============================================================
 
-| file.device
+|
+[[field-file-device]]
+<<field-file-device, file.device>>
+
 | Device that is the source of the file.
 
 type: keyword
@@ -2080,7 +2419,10 @@ example: `sda`
 
 // ===============================================================
 
-| file.directory
+|
+[[field-file-directory]]
+<<field-file-directory, file.directory>>
+
 | Directory where the file is located. It should include the drive letter, when appropriate.
 
 type: keyword
@@ -2093,7 +2435,10 @@ example: `/home/alice`
 
 // ===============================================================
 
-| file.drive_letter
+|
+[[field-file-drive-letter]]
+<<field-file-drive-letter, file.drive_letter>>
+
 | Drive letter where the file is located. This field is only relevant on Windows.
 
 The value should be uppercase, and not include the colon.
@@ -2108,7 +2453,10 @@ example: `C`
 
 // ===============================================================
 
-| file.extension
+|
+[[field-file-extension]]
+<<field-file-extension, file.extension>>
+
 | File extension, excluding the leading dot.
 
 Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
@@ -2123,7 +2471,10 @@ example: `png`
 
 // ===============================================================
 
-| file.gid
+|
+[[field-file-gid]]
+<<field-file-gid, file.gid>>
+
 | Primary group ID (GID) of the file.
 
 type: keyword
@@ -2136,7 +2487,10 @@ example: `1001`
 
 // ===============================================================
 
-| file.group
+|
+[[field-file-group]]
+<<field-file-group, file.group>>
+
 | Primary group name of the file.
 
 type: keyword
@@ -2149,7 +2503,10 @@ example: `alice`
 
 // ===============================================================
 
-| file.inode
+|
+[[field-file-inode]]
+<<field-file-inode, file.inode>>
+
 | Inode representing the file in the filesystem.
 
 type: keyword
@@ -2162,7 +2519,10 @@ example: `256383`
 
 // ===============================================================
 
-| file.mime_type
+|
+[[field-file-mime-type]]
+<<field-file-mime-type, file.mime_type>>
+
 | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
 
 type: keyword
@@ -2175,7 +2535,10 @@ type: keyword
 
 // ===============================================================
 
-| file.mode
+|
+[[field-file-mode]]
+<<field-file-mode, file.mode>>
+
 | Mode of the file in octal representation.
 
 type: keyword
@@ -2188,7 +2551,10 @@ example: `0640`
 
 // ===============================================================
 
-| file.mtime
+|
+[[field-file-mtime]]
+<<field-file-mtime, file.mtime>>
+
 | Last time the file content was modified.
 
 type: date
@@ -2201,7 +2567,10 @@ type: date
 
 // ===============================================================
 
-| file.name
+|
+[[field-file-name]]
+<<field-file-name, file.name>>
+
 | Name of the file including the extension, without the directory.
 
 type: keyword
@@ -2214,7 +2583,10 @@ example: `example.png`
 
 // ===============================================================
 
-| file.owner
+|
+[[field-file-owner]]
+<<field-file-owner, file.owner>>
+
 | File owner's username.
 
 type: keyword
@@ -2227,7 +2599,10 @@ example: `alice`
 
 // ===============================================================
 
-| file.path
+|
+[[field-file-path]]
+<<field-file-path, file.path>>
+
 | Full path to the file, including the file name. It should include the drive letter, when appropriate.
 
 type: keyword
@@ -2246,7 +2621,10 @@ example: `/home/alice/example.png`
 
 // ===============================================================
 
-| file.size
+|
+[[field-file-size]]
+<<field-file-size, file.size>>
+
 | File size in bytes.
 
 Only relevant when `file.type` is "file".
@@ -2261,7 +2639,10 @@ example: `16384`
 
 // ===============================================================
 
-| file.target_path
+|
+[[field-file-target-path]]
+<<field-file-target-path, file.target_path>>
+
 | Target path for symlinks.
 
 type: keyword
@@ -2280,7 +2661,10 @@ Multi-fields:
 
 // ===============================================================
 
-| file.type
+|
+[[field-file-type]]
+<<field-file-type, file.type>>
+
 | File type (file, dir, or symlink).
 
 type: keyword
@@ -2293,7 +2677,10 @@ example: `file`
 
 // ===============================================================
 
-| file.uid
+|
+[[field-file-uid]]
+<<field-file-uid, file.uid>>
+
 | The user ID (UID) or security identifier (SID) of the file owner.
 
 type: keyword
@@ -2367,7 +2754,10 @@ This geolocation information can be derived from techniques such as Geo IP, or b
 
 // ===============================================================
 
-| geo.city_name
+|
+[[field-geo-city-name]]
+<<field-geo-city-name, geo.city_name>>
+
 | City name.
 
 type: keyword
@@ -2380,7 +2770,10 @@ example: `Montreal`
 
 // ===============================================================
 
-| geo.continent_name
+|
+[[field-geo-continent-name]]
+<<field-geo-continent-name, geo.continent_name>>
+
 | Name of the continent.
 
 type: keyword
@@ -2393,7 +2786,10 @@ example: `North America`
 
 // ===============================================================
 
-| geo.country_iso_code
+|
+[[field-geo-country-iso-code]]
+<<field-geo-country-iso-code, geo.country_iso_code>>
+
 | Country ISO code.
 
 type: keyword
@@ -2406,7 +2802,10 @@ example: `CA`
 
 // ===============================================================
 
-| geo.country_name
+|
+[[field-geo-country-name]]
+<<field-geo-country-name, geo.country_name>>
+
 | Country name.
 
 type: keyword
@@ -2419,7 +2818,10 @@ example: `Canada`
 
 // ===============================================================
 
-| geo.location
+|
+[[field-geo-location]]
+<<field-geo-location, geo.location>>
+
 | Longitude and latitude.
 
 type: geo_point
@@ -2432,7 +2834,10 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }`
 
 // ===============================================================
 
-| geo.name
+|
+[[field-geo-name]]
+<<field-geo-name, geo.name>>
+
 | User-defined description of a location, at the level of granularity they care about.
 
 Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
@@ -2449,7 +2854,10 @@ example: `boston-dc`
 
 // ===============================================================
 
-| geo.region_iso_code
+|
+[[field-geo-region-iso-code]]
+<<field-geo-region-iso-code, geo.region_iso_code>>
+
 | Region ISO code.
 
 type: keyword
@@ -2462,7 +2870,10 @@ example: `CA-QC`
 
 // ===============================================================
 
-| geo.region_name
+|
+[[field-geo-region-name]]
+<<field-geo-region-name, geo.region_name>>
+
 | Region name.
 
 type: keyword
@@ -2501,7 +2912,10 @@ The group fields are meant to represent groups that are relevant to the event.
 
 // ===============================================================
 
-| group.domain
+|
+[[field-group-domain]]
+<<field-group-domain, group.domain>>
+
 | Name of the directory the group is a member of.
 
 For example, an LDAP or Active Directory domain name.
@@ -2516,7 +2930,10 @@ type: keyword
 
 // ===============================================================
 
-| group.id
+|
+[[field-group-id]]
+<<field-group-id, group.id>>
+
 | Unique identifier for the group on the system/platform.
 
 type: keyword
@@ -2529,7 +2946,10 @@ type: keyword
 
 // ===============================================================
 
-| group.name
+|
+[[field-group-name]]
+<<field-group-name, group.name>>
+
 | Name of the group.
 
 type: keyword
@@ -2570,7 +2990,10 @@ Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for ot
 
 // ===============================================================
 
-| hash.md5
+|
+[[field-hash-md5]]
+<<field-hash-md5, hash.md5>>
+
 | MD5 hash.
 
 type: keyword
@@ -2583,7 +3006,10 @@ type: keyword
 
 // ===============================================================
 
-| hash.sha1
+|
+[[field-hash-sha1]]
+<<field-hash-sha1, hash.sha1>>
+
 | SHA1 hash.
 
 type: keyword
@@ -2596,7 +3022,10 @@ type: keyword
 
 // ===============================================================
 
-| hash.sha256
+|
+[[field-hash-sha256]]
+<<field-hash-sha256, hash.sha256>>
+
 | SHA256 hash.
 
 type: keyword
@@ -2609,7 +3038,10 @@ type: keyword
 
 // ===============================================================
 
-| hash.sha512
+|
+[[field-hash-sha512]]
+<<field-hash-sha512, hash.sha512>>
+
 | SHA512 hash.
 
 type: keyword
@@ -2650,7 +3082,10 @@ ECS host.* fields should be populated with details about the host on which the e
 
 // ===============================================================
 
-| host.architecture
+|
+[[field-host-architecture]]
+<<field-host-architecture, host.architecture>>
+
 | Operating system architecture.
 
 type: keyword
@@ -2663,7 +3098,10 @@ example: `x86_64`
 
 // ===============================================================
 
-| host.domain
+|
+[[field-host-domain]]
+<<field-host-domain, host.domain>>
+
 | Name of the domain of which the host is a member.
 
 For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
@@ -2678,7 +3116,10 @@ example: `CONTOSO`
 
 // ===============================================================
 
-| host.hostname
+|
+[[field-host-hostname]]
+<<field-host-hostname, host.hostname>>
+
 | Hostname of the host.
 
 It normally contains what the `hostname` command returns on the host machine.
@@ -2693,7 +3134,10 @@ type: keyword
 
 // ===============================================================
 
-| host.id
+|
+[[field-host-id]]
+<<field-host-id, host.id>>
+
 | Unique host id.
 
 As hostname is not always unique, use values that are meaningful in your environment.
@@ -2710,7 +3154,10 @@ type: keyword
 
 // ===============================================================
 
-| host.ip
+|
+[[field-host-ip]]
+<<field-host-ip, host.ip>>
+
 | Host ip addresses.
 
 type: ip
@@ -2726,7 +3173,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| host.mac
+|
+[[field-host-mac]]
+<<field-host-mac, host.mac>>
+
 | Host mac addresses.
 
 type: keyword
@@ -2742,7 +3192,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| host.name
+|
+[[field-host-name]]
+<<field-host-name, host.name>>
+
 | Name of the host.
 
 It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
@@ -2757,7 +3210,10 @@ type: keyword
 
 // ===============================================================
 
-| host.type
+|
+[[field-host-type]]
+<<field-host-type, host.type>>
+
 | Type of host.
 
 For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
@@ -2772,7 +3228,10 @@ type: keyword
 
 // ===============================================================
 
-| host.uptime
+|
+[[field-host-uptime]]
+<<field-host-uptime, host.uptime>>
+
 | Seconds the host has been up.
 
 type: long
@@ -2838,7 +3297,10 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the
 
 // ===============================================================
 
-| http.request.body.bytes
+|
+[[field-http-request-body-bytes]]
+<<field-http-request-body-bytes, http.request.body.bytes>>
+
 | Size in bytes of the request body.
 
 type: long
@@ -2851,7 +3313,10 @@ example: `887`
 
 // ===============================================================
 
-| http.request.body.content
+|
+[[field-http-request-body-content]]
+<<field-http-request-body-content, http.request.body.content>>
+
 | The full HTTP request body.
 
 type: keyword
@@ -2870,7 +3335,10 @@ example: `Hello world`
 
 // ===============================================================
 
-| http.request.bytes
+|
+[[field-http-request-bytes]]
+<<field-http-request-bytes, http.request.bytes>>
+
 | Total size in bytes of the request (body and headers).
 
 type: long
@@ -2883,7 +3351,10 @@ example: `1437`
 
 // ===============================================================
 
-| http.request.method
+|
+[[field-http-request-method]]
+<<field-http-request-method, http.request.method>>
+
 | HTTP request method.
 
 Prior to ECS 1.6.0 the following guidance was provided:
@@ -2902,7 +3373,10 @@ example: `GET, POST, PUT, PoST`
 
 // ===============================================================
 
-| http.request.mime_type
+|
+[[field-http-request-mime-type]]
+<<field-http-request-mime-type, http.request.mime_type>>
+
 | Mime type of the body of the request.
 
 This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.
@@ -2917,7 +3391,10 @@ example: `image/gif`
 
 // ===============================================================
 
-| http.request.referrer
+|
+[[field-http-request-referrer]]
+<<field-http-request-referrer, http.request.referrer>>
+
 | Referrer for this HTTP request.
 
 type: keyword
@@ -2930,7 +3407,10 @@ example: `https://blog.example.com/`
 
 // ===============================================================
 
-| http.response.body.bytes
+|
+[[field-http-response-body-bytes]]
+<<field-http-response-body-bytes, http.response.body.bytes>>
+
 | Size in bytes of the response body.
 
 type: long
@@ -2943,7 +3423,10 @@ example: `887`
 
 // ===============================================================
 
-| http.response.body.content
+|
+[[field-http-response-body-content]]
+<<field-http-response-body-content, http.response.body.content>>
+
 | The full HTTP response body.
 
 type: keyword
@@ -2962,7 +3445,10 @@ example: `Hello world`
 
 // ===============================================================
 
-| http.response.bytes
+|
+[[field-http-response-bytes]]
+<<field-http-response-bytes, http.response.bytes>>
+
 | Total size in bytes of the response (body and headers).
 
 type: long
@@ -2975,7 +3461,10 @@ example: `1437`
 
 // ===============================================================
 
-| http.response.mime_type
+|
+[[field-http-response-mime-type]]
+<<field-http-response-mime-type, http.response.mime_type>>
+
 | Mime type of the body of the response.
 
 This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.
@@ -2990,7 +3479,10 @@ example: `image/gif`
 
 // ===============================================================
 
-| http.response.status_code
+|
+[[field-http-response-status-code]]
+<<field-http-response-status-code, http.response.status_code>>
+
 | HTTP response status code.
 
 type: long
@@ -3003,7 +3495,10 @@ example: `404`
 
 // ===============================================================
 
-| http.version
+|
+[[field-http-version]]
+<<field-http-version, http.version>>
+
 | HTTP version.
 
 type: keyword
@@ -3032,7 +3527,10 @@ The interface fields are used to record ingress and egress interface information
 
 // ===============================================================
 
-| interface.alias
+|
+[[field-interface-alias]]
+<<field-interface-alias, interface.alias>>
+
 | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
 
 type: keyword
@@ -3045,7 +3543,10 @@ example: `outside`
 
 // ===============================================================
 
-| interface.id
+|
+[[field-interface-id]]
+<<field-interface-id, interface.id>>
+
 | Interface ID as reported by an observer (typically SNMP interface ID).
 
 type: keyword
@@ -3058,7 +3559,10 @@ example: `10`
 
 // ===============================================================
 
-| interface.name
+|
+[[field-interface-name]]
+<<field-interface-name, interface.name>>
+
 | Interface name as reported by the system.
 
 type: keyword
@@ -3101,7 +3605,10 @@ The details specific to your event source are typically not logged under `log.*`
 
 // ===============================================================
 
-| log.file.path
+|
+[[field-log-file-path]]
+<<field-log-file-path, log.file.path>>
+
 | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
 
 If the event wasn't read from a log file, do not populate this field.
@@ -3116,7 +3623,10 @@ example: `/var/log/fun-times.log`
 
 // ===============================================================
 
-| log.level
+|
+[[field-log-level]]
+<<field-log-level, log.level>>
+
 | Original log level of the log event.
 
 If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
@@ -3133,7 +3643,10 @@ example: `error`
 
 // ===============================================================
 
-| log.logger
+|
+[[field-log-logger]]
+<<field-log-logger, log.logger>>
+
 | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
 
 type: keyword
@@ -3146,7 +3659,10 @@ example: `org.elasticsearch.bootstrap.Bootstrap`
 
 // ===============================================================
 
-| log.origin.file.line
+|
+[[field-log-origin-file-line]]
+<<field-log-origin-file-line, log.origin.file.line>>
+
 | The line number of the file containing the source code which originated the log event.
 
 type: integer
@@ -3159,7 +3675,10 @@ example: `42`
 
 // ===============================================================
 
-| log.origin.file.name
+|
+[[field-log-origin-file-name]]
+<<field-log-origin-file-name, log.origin.file.name>>
+
 | The name of the file containing the source code which originated the log event.
 
 Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
@@ -3174,7 +3693,10 @@ example: `Bootstrap.java`
 
 // ===============================================================
 
-| log.origin.function
+|
+[[field-log-origin-function]]
+<<field-log-origin-function, log.origin.function>>
+
 | The name of the function or method which originated the log event.
 
 type: keyword
@@ -3187,7 +3709,10 @@ example: `init`
 
 // ===============================================================
 
-| log.original
+|
+[[field-log-original]]
+<<field-log-original, log.original>>
+
 | This is the original log message and contains the full log message before splitting it up in multiple parts.
 
 In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.
@@ -3204,7 +3729,10 @@ example: `Sep 19 08:26:10 localhost My log`
 
 // ===============================================================
 
-| log.syslog
+|
+[[field-log-syslog]]
+<<field-log-syslog, log.syslog>>
+
 | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
 
 type: object
@@ -3217,7 +3745,10 @@ type: object
 
 // ===============================================================
 
-| log.syslog.facility.code
+|
+[[field-log-syslog-facility-code]]
+<<field-log-syslog-facility-code, log.syslog.facility.code>>
+
 | The Syslog numeric facility of the log event, if available.
 
 According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
@@ -3232,7 +3763,10 @@ example: `23`
 
 // ===============================================================
 
-| log.syslog.facility.name
+|
+[[field-log-syslog-facility-name]]
+<<field-log-syslog-facility-name, log.syslog.facility.name>>
+
 | The Syslog text-based facility of the log event, if available.
 
 type: keyword
@@ -3245,7 +3779,10 @@ example: `local7`
 
 // ===============================================================
 
-| log.syslog.priority
+|
+[[field-log-syslog-priority]]
+<<field-log-syslog-priority, log.syslog.priority>>
+
 | Syslog numeric priority of the event, if available.
 
 According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
@@ -3260,7 +3797,10 @@ example: `135`
 
 // ===============================================================
 
-| log.syslog.severity.code
+|
+[[field-log-syslog-severity-code]]
+<<field-log-syslog-severity-code, log.syslog.severity.code>>
+
 | The Syslog numeric severity of the log event, if available.
 
 If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
@@ -3275,7 +3815,10 @@ example: `3`
 
 // ===============================================================
 
-| log.syslog.severity.name
+|
+[[field-log-syslog-severity-name]]
+<<field-log-syslog-severity-name, log.syslog.severity.name>>
+
 | The Syslog numeric severity of the log event, if available.
 
 If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
@@ -3308,7 +3851,10 @@ The network.* fields should be populated with details about the network activity
 
 // ===============================================================
 
-| network.application
+|
+[[field-network-application]]
+<<field-network-application, network.application>>
+
 | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
 
 The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
@@ -3323,7 +3869,10 @@ example: `aim`
 
 // ===============================================================
 
-| network.bytes
+|
+[[field-network-bytes]]
+<<field-network-bytes, network.bytes>>
+
 | Total bytes transferred in both directions.
 
 If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
@@ -3338,7 +3887,10 @@ example: `368`
 
 // ===============================================================
 
-| network.community_id
+|
+[[field-network-community-id]]
+<<field-network-community-id, network.community_id>>
+
 | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
 
 Learn more at https://github.com/corelight/community-id-spec.
@@ -3353,7 +3905,10 @@ example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=`
 
 // ===============================================================
 
-| network.direction
+|
+[[field-network-direction]]
+<<field-network-direction, network.direction>>
+
 | Direction of the network traffic.
 
 Recommended values are:
@@ -3390,7 +3945,10 @@ example: `inbound`
 
 // ===============================================================
 
-| network.forwarded_ip
+|
+[[field-network-forwarded-ip]]
+<<field-network-forwarded-ip, network.forwarded_ip>>
+
 | Host IP address when the source IP address is the proxy.
 
 type: ip
@@ -3403,7 +3961,10 @@ example: `192.1.1.2`
 
 // ===============================================================
 
-| network.iana_number
+|
+[[field-network-iana-number]]
+<<field-network-iana-number, network.iana_number>>
+
 | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
 
 type: keyword
@@ -3416,7 +3977,10 @@ example: `6`
 
 // ===============================================================
 
-| network.inner
+|
+[[field-network-inner]]
+<<field-network-inner, network.inner>>
+
 | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
 
 type: object
@@ -3429,7 +3993,10 @@ type: object
 
 // ===============================================================
 
-| network.name
+|
+[[field-network-name]]
+<<field-network-name, network.name>>
+
 | Name given by operators to sections of their network.
 
 type: keyword
@@ -3442,7 +4009,10 @@ example: `Guest Wifi`
 
 // ===============================================================
 
-| network.packets
+|
+[[field-network-packets]]
+<<field-network-packets, network.packets>>
+
 | Total packets transferred in both directions.
 
 If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
@@ -3457,7 +4027,10 @@ example: `24`
 
 // ===============================================================
 
-| network.protocol
+|
+[[field-network-protocol]]
+<<field-network-protocol, network.protocol>>
+
 | L7 Network protocol name. ex. http, lumberjack, transport protocol.
 
 The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
@@ -3472,7 +4045,10 @@ example: `http`
 
 // ===============================================================
 
-| network.transport
+|
+[[field-network-transport]]
+<<field-network-transport, network.transport>>
+
 | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
 The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
@@ -3487,7 +4063,10 @@ example: `tcp`
 
 // ===============================================================
 
-| network.type
+|
+[[field-network-type]]
+<<field-network-type, network.type>>
+
 | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
 
 The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
@@ -3551,7 +4130,10 @@ This could be a custom hardware appliance or a server that has been configured t
 
 // ===============================================================
 
-| observer.egress
+|
+[[field-observer-egress]]
+<<field-observer-egress, observer.egress>>
+
 | Observer.egress holds information like interface number and name, vlan, and zone information to  classify egress traffic.  Single armed monitoring such as a network sensor on a span port should  only use observer.ingress to categorize traffic.
 
 type: object
@@ -3564,7 +4146,10 @@ type: object
 
 // ===============================================================
 
-| observer.egress.zone
+|
+[[field-observer-egress-zone]]
+<<field-observer-egress-zone, observer.egress.zone>>
+
 | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress  traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
 
 type: keyword
@@ -3577,7 +4162,10 @@ example: `Public_Internet`
 
 // ===============================================================
 
-| observer.hostname
+|
+[[field-observer-hostname]]
+<<field-observer-hostname, observer.hostname>>
+
 | Hostname of the observer.
 
 type: keyword
@@ -3590,7 +4178,10 @@ type: keyword
 
 // ===============================================================
 
-| observer.ingress
+|
+[[field-observer-ingress]]
+<<field-observer-ingress, observer.ingress>>
+
 | Observer.ingress holds information like interface number and name, vlan, and zone information to  classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should  only use observer.ingress to categorize traffic.
 
 type: object
@@ -3603,7 +4194,10 @@ type: object
 
 // ===============================================================
 
-| observer.ingress.zone
+|
+[[field-observer-ingress-zone]]
+<<field-observer-ingress-zone, observer.ingress.zone>>
+
 | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress  traffic. e.g. internal, External, DMZ, HR, Legal, etc.
 
 type: keyword
@@ -3616,7 +4210,10 @@ example: `DMZ`
 
 // ===============================================================
 
-| observer.ip
+|
+[[field-observer-ip]]
+<<field-observer-ip, observer.ip>>
+
 | IP addresses of the observer.
 
 type: ip
@@ -3632,7 +4229,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| observer.mac
+|
+[[field-observer-mac]]
+<<field-observer-mac, observer.mac>>
+
 | MAC addresses of the observer
 
 type: keyword
@@ -3648,7 +4248,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| observer.name
+|
+[[field-observer-name]]
+<<field-observer-name, observer.name>>
+
 | Custom name of the observer.
 
 This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
@@ -3665,7 +4268,10 @@ example: `1_proxySG`
 
 // ===============================================================
 
-| observer.product
+|
+[[field-observer-product]]
+<<field-observer-product, observer.product>>
+
 | The product name of the observer.
 
 type: keyword
@@ -3678,7 +4284,10 @@ example: `s200`
 
 // ===============================================================
 
-| observer.serial_number
+|
+[[field-observer-serial-number]]
+<<field-observer-serial-number, observer.serial_number>>
+
 | Observer serial number.
 
 type: keyword
@@ -3691,7 +4300,10 @@ type: keyword
 
 // ===============================================================
 
-| observer.type
+|
+[[field-observer-type]]
+<<field-observer-type, observer.type>>
+
 | The type of the observer the data is coming from.
 
 There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
@@ -3706,7 +4318,10 @@ example: `firewall`
 
 // ===============================================================
 
-| observer.vendor
+|
+[[field-observer-vendor]]
+<<field-observer-vendor, observer.vendor>>
+
 | Vendor name of the observer.
 
 type: keyword
@@ -3719,7 +4334,10 @@ example: `Symantec`
 
 // ===============================================================
 
-| observer.version
+|
+[[field-observer-version]]
+<<field-observer-version, observer.version>>
+
 | Observer version.
 
 type: keyword
@@ -3805,7 +4423,10 @@ These fields help you arrange or filter data stored in an index by one or multip
 
 // ===============================================================
 
-| organization.id
+|
+[[field-organization-id]]
+<<field-organization-id, organization.id>>
+
 | Unique identifier for the organization.
 
 type: keyword
@@ -3818,7 +4439,10 @@ type: keyword
 
 // ===============================================================
 
-| organization.name
+|
+[[field-organization-name]]
+<<field-organization-name, organization.name>>
+
 | Organization name.
 
 type: keyword
@@ -3853,7 +4477,10 @@ The OS fields contain information about the operating system.
 
 // ===============================================================
 
-| os.family
+|
+[[field-os-family]]
+<<field-os-family, os.family>>
+
 | OS family (such as redhat, debian, freebsd, windows).
 
 type: keyword
@@ -3866,7 +4493,10 @@ example: `debian`
 
 // ===============================================================
 
-| os.full
+|
+[[field-os-full]]
+<<field-os-full, os.full>>
+
 | Operating system name, including the version or code name.
 
 type: keyword
@@ -3885,7 +4515,10 @@ example: `Mac OS Mojave`
 
 // ===============================================================
 
-| os.kernel
+|
+[[field-os-kernel]]
+<<field-os-kernel, os.kernel>>
+
 | Operating system kernel version as a raw string.
 
 type: keyword
@@ -3898,7 +4531,10 @@ example: `4.4.0-112-generic`
 
 // ===============================================================
 
-| os.name
+|
+[[field-os-name]]
+<<field-os-name, os.name>>
+
 | Operating system name, without the version.
 
 type: keyword
@@ -3917,7 +4553,10 @@ example: `Mac OS X`
 
 // ===============================================================
 
-| os.platform
+|
+[[field-os-platform]]
+<<field-os-platform, os.platform>>
+
 | Operating system platform (such centos, ubuntu, windows).
 
 type: keyword
@@ -3930,7 +4569,10 @@ example: `darwin`
 
 // ===============================================================
 
-| os.type
+|
+[[field-os-type]]
+<<field-os-type, os.type>>
+
 | Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
 One of these following values should be used (lowercase): linux, macos, unix, windows.
@@ -3947,7 +4589,10 @@ example: `macos`
 
 // ===============================================================
 
-| os.version
+|
+[[field-os-version]]
+<<field-os-version, os.version>>
+
 | Operating system version as a raw string.
 
 type: keyword
@@ -3986,7 +4631,10 @@ These fields contain information about an installed software package. It contain
 
 // ===============================================================
 
-| package.architecture
+|
+[[field-package-architecture]]
+<<field-package-architecture, package.architecture>>
+
 | Package architecture.
 
 type: keyword
@@ -3999,7 +4647,10 @@ example: `x86_64`
 
 // ===============================================================
 
-| package.build_version
+|
+[[field-package-build-version]]
+<<field-package-build-version, package.build_version>>
+
 | Additional information about the build version of the installed package.
 
 For example use the commit SHA of a non-released package.
@@ -4014,7 +4665,10 @@ example: `36f4f7e89dd61b0988b12ee000b98966867710cd`
 
 // ===============================================================
 
-| package.checksum
+|
+[[field-package-checksum]]
+<<field-package-checksum, package.checksum>>
+
 | Checksum of the installed package for verification.
 
 type: keyword
@@ -4027,7 +4681,10 @@ example: `68b329da9893e34099c7d8ad5cb9c940`
 
 // ===============================================================
 
-| package.description
+|
+[[field-package-description]]
+<<field-package-description, package.description>>
+
 | Description of the package.
 
 type: keyword
@@ -4040,7 +4697,10 @@ example: `Open source programming language to build simple/reliable/efficient so
 
 // ===============================================================
 
-| package.install_scope
+|
+[[field-package-install-scope]]
+<<field-package-install-scope, package.install_scope>>
+
 | Indicating how the package was installed, e.g. user-local, global.
 
 type: keyword
@@ -4053,7 +4713,10 @@ example: `global`
 
 // ===============================================================
 
-| package.installed
+|
+[[field-package-installed]]
+<<field-package-installed, package.installed>>
+
 | Time when package was installed.
 
 type: date
@@ -4066,7 +4729,10 @@ type: date
 
 // ===============================================================
 
-| package.license
+|
+[[field-package-license]]
+<<field-package-license, package.license>>
+
 | License under which the package was released.
 
 Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).
@@ -4081,7 +4747,10 @@ example: `Apache License 2.0`
 
 // ===============================================================
 
-| package.name
+|
+[[field-package-name]]
+<<field-package-name, package.name>>
+
 | Package name
 
 type: keyword
@@ -4094,7 +4763,10 @@ example: `go`
 
 // ===============================================================
 
-| package.path
+|
+[[field-package-path]]
+<<field-package-path, package.path>>
+
 | Path where the package is installed.
 
 type: keyword
@@ -4107,7 +4779,10 @@ example: `/usr/local/Cellar/go/1.12.9/`
 
 // ===============================================================
 
-| package.reference
+|
+[[field-package-reference]]
+<<field-package-reference, package.reference>>
+
 | Home page or reference URL of the software in this package, if available.
 
 type: keyword
@@ -4120,7 +4795,10 @@ example: `https://golang.org`
 
 // ===============================================================
 
-| package.size
+|
+[[field-package-size]]
+<<field-package-size, package.size>>
+
 | Package size in bytes.
 
 type: long
@@ -4133,7 +4811,10 @@ example: `62231`
 
 // ===============================================================
 
-| package.type
+|
+[[field-package-type]]
+<<field-package-type, package.type>>
+
 | Type of package.
 
 This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
@@ -4148,7 +4829,10 @@ example: `rpm`
 
 // ===============================================================
 
-| package.version
+|
+[[field-package-version]]
+<<field-package-version, package.version>>
+
 | Package version
 
 type: keyword
@@ -4177,7 +4861,10 @@ These fields contain Windows Portable Executable (PE) metadata.
 
 // ===============================================================
 
-| pe.architecture
+|
+[[field-pe-architecture]]
+<<field-pe-architecture, pe.architecture>>
+
 | CPU architecture target for the file.
 
 type: keyword
@@ -4190,7 +4877,10 @@ example: `x64`
 
 // ===============================================================
 
-| pe.company
+|
+[[field-pe-company]]
+<<field-pe-company, pe.company>>
+
 | Internal company name of the file, provided at compile-time.
 
 type: keyword
@@ -4203,7 +4893,10 @@ example: `Microsoft Corporation`
 
 // ===============================================================
 
-| pe.description
+|
+[[field-pe-description]]
+<<field-pe-description, pe.description>>
+
 | Internal description of the file, provided at compile-time.
 
 type: keyword
@@ -4216,7 +4909,10 @@ example: `Paint`
 
 // ===============================================================
 
-| pe.file_version
+|
+[[field-pe-file-version]]
+<<field-pe-file-version, pe.file_version>>
+
 | Internal version of the file, provided at compile-time.
 
 type: keyword
@@ -4229,7 +4925,10 @@ example: `6.3.9600.17415`
 
 // ===============================================================
 
-| pe.imphash
+|
+[[field-pe-imphash]]
+<<field-pe-imphash, pe.imphash>>
+
 | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
 
 Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
@@ -4244,7 +4943,10 @@ example: `0c6803c4e922103c4dca5963aad36ddf`
 
 // ===============================================================
 
-| pe.original_file_name
+|
+[[field-pe-original-file-name]]
+<<field-pe-original-file-name, pe.original_file_name>>
+
 | Internal name of the file, provided at compile-time.
 
 type: keyword
@@ -4257,7 +4959,10 @@ example: `MSPAINT.EXE`
 
 // ===============================================================
 
-| pe.product
+|
+[[field-pe-product]]
+<<field-pe-product, pe.product>>
+
 | Internal product name of the file, provided at compile-time.
 
 type: keyword
@@ -4298,7 +5003,10 @@ These fields can help you correlate metrics information with a process id/name f
 
 // ===============================================================
 
-| process.args
+|
+[[field-process-args]]
+<<field-process-args, process.args>>
+
 | Array of process arguments, starting with the absolute path to the executable.
 
 May be filtered to protect sensitive information.
@@ -4316,7 +5024,10 @@ example: `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]`
 
 // ===============================================================
 
-| process.args_count
+|
+[[field-process-args-count]]
+<<field-process-args-count, process.args_count>>
+
 | Length of the process.args array.
 
 This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
@@ -4331,7 +5042,10 @@ example: `4`
 
 // ===============================================================
 
-| process.command_line
+|
+[[field-process-command-line]]
+<<field-process-command-line, process.command_line>>
+
 | Full command line that started the process, including the absolute path to the executable, and all arguments.
 
 Some arguments may be filtered to protect sensitive information.
@@ -4352,7 +5066,10 @@ example: `/usr/bin/ssh -l user 10.0.0.16`
 
 // ===============================================================
 
-| process.entity_id
+|
+[[field-process-entity-id]]
+<<field-process-entity-id, process.entity_id>>
+
 | Unique identifier for the process.
 
 The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
@@ -4369,7 +5086,10 @@ example: `c2c455d9f99375d`
 
 // ===============================================================
 
-| process.executable
+|
+[[field-process-executable]]
+<<field-process-executable, process.executable>>
+
 | Absolute path to the process executable.
 
 type: keyword
@@ -4388,7 +5108,10 @@ example: `/usr/bin/ssh`
 
 // ===============================================================
 
-| process.exit_code
+|
+[[field-process-exit-code]]
+<<field-process-exit-code, process.exit_code>>
+
 | The exit code of the process, if this is a termination event.
 
 The field should be absent if there is no exit code for the event (e.g. process start).
@@ -4403,7 +5126,10 @@ example: `137`
 
 // ===============================================================
 
-| process.name
+|
+[[field-process-name]]
+<<field-process-name, process.name>>
+
 | Process name.
 
 Sometimes called program name or similar.
@@ -4424,7 +5150,10 @@ example: `ssh`
 
 // ===============================================================
 
-| process.pgid
+|
+[[field-process-pgid]]
+<<field-process-pgid, process.pgid>>
+
 | Identifier of the group of processes the process belongs to.
 
 type: long
@@ -4437,7 +5166,10 @@ type: long
 
 // ===============================================================
 
-| process.pid
+|
+[[field-process-pid]]
+<<field-process-pid, process.pid>>
+
 | Process id.
 
 type: long
@@ -4450,7 +5182,10 @@ example: `4242`
 
 // ===============================================================
 
-| process.ppid
+|
+[[field-process-ppid]]
+<<field-process-ppid, process.ppid>>
+
 | Parent process' pid.
 
 type: long
@@ -4463,7 +5198,10 @@ example: `4241`
 
 // ===============================================================
 
-| process.start
+|
+[[field-process-start]]
+<<field-process-start, process.start>>
+
 | The time the process started.
 
 type: date
@@ -4476,7 +5214,10 @@ example: `2016-05-23T08:05:34.853Z`
 
 // ===============================================================
 
-| process.thread.id
+|
+[[field-process-thread-id]]
+<<field-process-thread-id, process.thread.id>>
+
 | Thread ID.
 
 type: long
@@ -4489,7 +5230,10 @@ example: `4242`
 
 // ===============================================================
 
-| process.thread.name
+|
+[[field-process-thread-name]]
+<<field-process-thread-name, process.thread.name>>
+
 | Thread name.
 
 type: keyword
@@ -4502,7 +5246,10 @@ example: `thread-0`
 
 // ===============================================================
 
-| process.title
+|
+[[field-process-title]]
+<<field-process-title, process.title>>
+
 | Process title.
 
 The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
@@ -4523,7 +5270,10 @@ Multi-fields:
 
 // ===============================================================
 
-| process.uptime
+|
+[[field-process-uptime]]
+<<field-process-uptime, process.uptime>>
+
 | Seconds the process has been up.
 
 type: long
@@ -4536,7 +5286,10 @@ example: `1325`
 
 // ===============================================================
 
-| process.working_directory
+|
+[[field-process-working-directory]]
+<<field-process-working-directory, process.working_directory>>
+
 | The working directory of the process.
 
 type: keyword
@@ -4618,7 +5371,10 @@ Fields related to Windows Registry operations.
 
 // ===============================================================
 
-| registry.data.bytes
+|
+[[field-registry-data-bytes]]
+<<field-registry-data-bytes, registry.data.bytes>>
+
 | Original bytes written with base64 encoding.
 
 For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
@@ -4633,7 +5389,10 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=`
 
 // ===============================================================
 
-| registry.data.strings
+|
+[[field-registry-data-strings]]
+<<field-registry-data-strings, registry.data.strings>>
+
 | Content when writing string types.
 
 Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
@@ -4651,7 +5410,10 @@ example: `["C:\rta\red_ttp\bin\myapp.exe"]`
 
 // ===============================================================
 
-| registry.data.type
+|
+[[field-registry-data-type]]
+<<field-registry-data-type, registry.data.type>>
+
 | Standard registry type for encoding contents
 
 type: keyword
@@ -4664,7 +5426,10 @@ example: `REG_SZ`
 
 // ===============================================================
 
-| registry.hive
+|
+[[field-registry-hive]]
+<<field-registry-hive, registry.hive>>
+
 | Abbreviated name for the hive.
 
 type: keyword
@@ -4677,7 +5442,10 @@ example: `HKLM`
 
 // ===============================================================
 
-| registry.key
+|
+[[field-registry-key]]
+<<field-registry-key, registry.key>>
+
 | Hive-relative path of keys.
 
 type: keyword
@@ -4690,7 +5458,10 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
 
 // ===============================================================
 
-| registry.path
+|
+[[field-registry-path]]
+<<field-registry-path, registry.path>>
+
 | Full path, including hive, key and value
 
 type: keyword
@@ -4703,7 +5474,10 @@ example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
 
 // ===============================================================
 
-| registry.value
+|
+[[field-registry-value]]
+<<field-registry-value, registry.value>>
+
 | Name of the value written.
 
 type: keyword
@@ -4736,7 +5510,10 @@ A concrete example is IP addresses, which can be under host, observer, source, d
 
 // ===============================================================
 
-| related.hash
+|
+[[field-related-hash]]
+<<field-related-hash, related.hash>>
+
 | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
 
 type: keyword
@@ -4752,7 +5529,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| related.hosts
+|
+[[field-related-hosts]]
+<<field-related-hosts, related.hosts>>
+
 | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
 
 type: keyword
@@ -4768,7 +5548,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| related.ip
+|
+[[field-related-ip]]
+<<field-related-ip, related.ip>>
+
 | All of the IPs seen on your event.
 
 type: ip
@@ -4784,7 +5567,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| related.user
+|
+[[field-related-user]]
+<<field-related-user, related.user>>
+
 | All the user names seen on your event.
 
 type: keyword
@@ -4818,7 +5604,10 @@ Examples of data sources that would populate the rule fields include: network ad
 
 // ===============================================================
 
-| rule.author
+|
+[[field-rule-author]]
+<<field-rule-author, rule.author>>
+
 | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
 
 type: keyword
@@ -4834,7 +5623,10 @@ example: `["Star-Lord"]`
 
 // ===============================================================
 
-| rule.category
+|
+[[field-rule-category]]
+<<field-rule-category, rule.category>>
+
 | A categorization value keyword used by the entity using the rule for detection of this event.
 
 type: keyword
@@ -4847,7 +5639,10 @@ example: `Attempted Information Leak`
 
 // ===============================================================
 
-| rule.description
+|
+[[field-rule-description]]
+<<field-rule-description, rule.description>>
+
 | The description of the rule generating the event.
 
 type: keyword
@@ -4860,7 +5655,10 @@ example: `Block requests to public DNS over HTTPS / TLS protocols`
 
 // ===============================================================
 
-| rule.id
+|
+[[field-rule-id]]
+<<field-rule-id, rule.id>>
+
 | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
 
 type: keyword
@@ -4873,7 +5671,10 @@ example: `101`
 
 // ===============================================================
 
-| rule.license
+|
+[[field-rule-license]]
+<<field-rule-license, rule.license>>
+
 | Name of the license under which the rule used to generate this event is made available.
 
 type: keyword
@@ -4886,7 +5687,10 @@ example: `Apache 2.0`
 
 // ===============================================================
 
-| rule.name
+|
+[[field-rule-name]]
+<<field-rule-name, rule.name>>
+
 | The name of the rule or signature generating the event.
 
 type: keyword
@@ -4899,7 +5703,10 @@ example: `BLOCK_DNS_over_TLS`
 
 // ===============================================================
 
-| rule.reference
+|
+[[field-rule-reference]]
+<<field-rule-reference, rule.reference>>
+
 | Reference URL to additional information about the rule used to generate this event.
 
 The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
@@ -4914,7 +5721,10 @@ example: `https://en.wikipedia.org/wiki/DNS_over_TLS`
 
 // ===============================================================
 
-| rule.ruleset
+|
+[[field-rule-ruleset]]
+<<field-rule-ruleset, rule.ruleset>>
+
 | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
 
 type: keyword
@@ -4927,7 +5737,10 @@ example: `Standard_Protocol_Filters`
 
 // ===============================================================
 
-| rule.uuid
+|
+[[field-rule-uuid]]
+<<field-rule-uuid, rule.uuid>>
+
 | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
 
 type: keyword
@@ -4940,7 +5753,10 @@ example: `1100110011`
 
 // ===============================================================
 
-| rule.version
+|
+[[field-rule-version]]
+<<field-rule-version, rule.version>>
+
 | The version / revision of the rule being used for analysis.
 
 type: keyword
@@ -4973,7 +5789,10 @@ Client / server representations can add semantic context to an exchange, which i
 
 // ===============================================================
 
-| server.address
+|
+[[field-server-address]]
+<<field-server-address, server.address>>
+
 | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
 
 Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
@@ -4988,7 +5807,10 @@ type: keyword
 
 // ===============================================================
 
-| server.bytes
+|
+[[field-server-bytes]]
+<<field-server-bytes, server.bytes>>
+
 | Bytes sent from the server to the client.
 
 type: long
@@ -5001,7 +5823,10 @@ example: `184`
 
 // ===============================================================
 
-| server.domain
+|
+[[field-server-domain]]
+<<field-server-domain, server.domain>>
+
 | Server domain.
 
 type: keyword
@@ -5014,7 +5839,10 @@ type: keyword
 
 // ===============================================================
 
-| server.ip
+|
+[[field-server-ip]]
+<<field-server-ip, server.ip>>
+
 | IP address of the server (IPv4 or IPv6).
 
 type: ip
@@ -5027,7 +5855,10 @@ type: ip
 
 // ===============================================================
 
-| server.mac
+|
+[[field-server-mac]]
+<<field-server-mac, server.mac>>
+
 | MAC address of the server.
 
 type: keyword
@@ -5040,7 +5871,10 @@ type: keyword
 
 // ===============================================================
 
-| server.nat.ip
+|
+[[field-server-nat-ip]]
+<<field-server-nat-ip, server.nat.ip>>
+
 | Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
 
 Typically used with load balancers, firewalls, or routers.
@@ -5055,7 +5889,10 @@ type: ip
 
 // ===============================================================
 
-| server.nat.port
+|
+[[field-server-nat-port]]
+<<field-server-nat-port, server.nat.port>>
+
 | Translated port of destination based NAT sessions (e.g. internet to private DMZ)
 
 Typically used with load balancers, firewalls, or routers.
@@ -5070,7 +5907,10 @@ type: long
 
 // ===============================================================
 
-| server.packets
+|
+[[field-server-packets]]
+<<field-server-packets, server.packets>>
+
 | Packets sent from the server to the client.
 
 type: long
@@ -5083,7 +5923,10 @@ example: `12`
 
 // ===============================================================
 
-| server.port
+|
+[[field-server-port]]
+<<field-server-port, server.port>>
+
 | Port of the server.
 
 type: long
@@ -5096,7 +5939,10 @@ type: long
 
 // ===============================================================
 
-| server.registered_domain
+|
+[[field-server-registered-domain]]
+<<field-server-registered-domain, server.registered_domain>>
+
 | The highest registered server domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
@@ -5113,7 +5959,10 @@ example: `example.com`
 
 // ===============================================================
 
-| server.subdomain
+|
+[[field-server-subdomain]]
+<<field-server-subdomain, server.subdomain>>
+
 | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
 
 For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
@@ -5128,7 +5977,10 @@ example: `east`
 
 // ===============================================================
 
-| server.top_level_domain
+|
+[[field-server-top-level-domain]]
+<<field-server-top-level-domain, server.top_level_domain>>
+
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
@@ -5198,7 +6050,10 @@ These fields help you find and correlate logs for a specific service and version
 
 // ===============================================================
 
-| service.ephemeral_id
+|
+[[field-service-ephemeral-id]]
+<<field-service-ephemeral-id, service.ephemeral_id>>
+
 | Ephemeral identifier of this service (if one exists).
 
 This id normally changes across restarts, but `service.id` does not.
@@ -5213,7 +6068,10 @@ example: `8a4f500f`
 
 // ===============================================================
 
-| service.id
+|
+[[field-service-id]]
+<<field-service-id, service.id>>
+
 | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
 
 This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
@@ -5230,7 +6088,10 @@ example: `d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6`
 
 // ===============================================================
 
-| service.name
+|
+[[field-service-name]]
+<<field-service-name, service.name>>
+
 | Name of the service data is collected from.
 
 The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
@@ -5247,7 +6108,10 @@ example: `elasticsearch-metrics`
 
 // ===============================================================
 
-| service.node.name
+|
+[[field-service-node-name]]
+<<field-service-node-name, service.node.name>>
+
 | Name of a service node.
 
 This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
@@ -5264,7 +6128,10 @@ example: `instance-0000000016`
 
 // ===============================================================
 
-| service.state
+|
+[[field-service-state]]
+<<field-service-state, service.state>>
+
 | Current state of the service.
 
 type: keyword
@@ -5277,7 +6144,10 @@ type: keyword
 
 // ===============================================================
 
-| service.type
+|
+[[field-service-type]]
+<<field-service-type, service.type>>
+
 | The type of the service data is collected from.
 
 The type can be used to group and correlate logs and metrics from one service type.
@@ -5294,7 +6164,10 @@ example: `elasticsearch`
 
 // ===============================================================
 
-| service.version
+|
+[[field-service-version]]
+<<field-service-version, service.version>>
+
 | Version of the service the data was collected from.
 
 This allows to look at a data set only for a specific version of a service.
@@ -5327,7 +6200,10 @@ Source fields are usually populated in conjunction with destination fields. The
 
 // ===============================================================
 
-| source.address
+|
+[[field-source-address]]
+<<field-source-address, source.address>>
+
 | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
 
 Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
@@ -5342,7 +6218,10 @@ type: keyword
 
 // ===============================================================
 
-| source.bytes
+|
+[[field-source-bytes]]
+<<field-source-bytes, source.bytes>>
+
 | Bytes sent from the source to the destination.
 
 type: long
@@ -5355,7 +6234,10 @@ example: `184`
 
 // ===============================================================
 
-| source.domain
+|
+[[field-source-domain]]
+<<field-source-domain, source.domain>>
+
 | Source domain.
 
 type: keyword
@@ -5368,7 +6250,10 @@ type: keyword
 
 // ===============================================================
 
-| source.ip
+|
+[[field-source-ip]]
+<<field-source-ip, source.ip>>
+
 | IP address of the source (IPv4 or IPv6).
 
 type: ip
@@ -5381,7 +6266,10 @@ type: ip
 
 // ===============================================================
 
-| source.mac
+|
+[[field-source-mac]]
+<<field-source-mac, source.mac>>
+
 | MAC address of the source.
 
 type: keyword
@@ -5394,7 +6282,10 @@ type: keyword
 
 // ===============================================================
 
-| source.nat.ip
+|
+[[field-source-nat-ip]]
+<<field-source-nat-ip, source.nat.ip>>
+
 | Translated ip of source based NAT sessions (e.g. internal client to internet)
 
 Typically connections traversing load balancers, firewalls, or routers.
@@ -5409,7 +6300,10 @@ type: ip
 
 // ===============================================================
 
-| source.nat.port
+|
+[[field-source-nat-port]]
+<<field-source-nat-port, source.nat.port>>
+
 | Translated port of source based NAT sessions. (e.g. internal client to internet)
 
 Typically used with load balancers, firewalls, or routers.
@@ -5424,7 +6318,10 @@ type: long
 
 // ===============================================================
 
-| source.packets
+|
+[[field-source-packets]]
+<<field-source-packets, source.packets>>
+
 | Packets sent from the source to the destination.
 
 type: long
@@ -5437,7 +6334,10 @@ example: `12`
 
 // ===============================================================
 
-| source.port
+|
+[[field-source-port]]
+<<field-source-port, source.port>>
+
 | Port of the source.
 
 type: long
@@ -5450,7 +6350,10 @@ type: long
 
 // ===============================================================
 
-| source.registered_domain
+|
+[[field-source-registered-domain]]
+<<field-source-registered-domain, source.registered_domain>>
+
 | The highest registered source domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
@@ -5467,7 +6370,10 @@ example: `example.com`
 
 // ===============================================================
 
-| source.subdomain
+|
+[[field-source-subdomain]]
+<<field-source-subdomain, source.subdomain>>
+
 | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
 
 For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
@@ -5482,7 +6388,10 @@ example: `east`
 
 // ===============================================================
 
-| source.top_level_domain
+|
+[[field-source-top-level-domain]]
+<<field-source-top-level-domain, source.top_level_domain>>
+
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
@@ -5552,7 +6461,10 @@ These fields are for users to classify alerts from all of their sources (e.g. ID
 
 // ===============================================================
 
-| threat.framework
+|
+[[field-threat-framework]]
+<<field-threat-framework, threat.framework>>
+
 | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
 
 type: keyword
@@ -5565,7 +6477,10 @@ example: `MITRE ATT&CK`
 
 // ===============================================================
 
-| threat.tactic.id
+|
+[[field-threat-tactic-id]]
+<<field-threat-tactic-id, threat.tactic.id>>
+
 | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
 
 type: keyword
@@ -5581,7 +6496,10 @@ example: `TA0002`
 
 // ===============================================================
 
-| threat.tactic.name
+|
+[[field-threat-tactic-name]]
+<<field-threat-tactic-name, threat.tactic.name>>
+
 | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
 
 type: keyword
@@ -5597,7 +6515,10 @@ example: `Execution`
 
 // ===============================================================
 
-| threat.tactic.reference
+|
+[[field-threat-tactic-reference]]
+<<field-threat-tactic-reference, threat.tactic.reference>>
+
 | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
 
 type: keyword
@@ -5613,7 +6534,10 @@ example: `https://attack.mitre.org/tactics/TA0002/`
 
 // ===============================================================
 
-| threat.technique.id
+|
+[[field-threat-technique-id]]
+<<field-threat-technique-id, threat.technique.id>>
+
 | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
@@ -5629,7 +6553,10 @@ example: `T1059`
 
 // ===============================================================
 
-| threat.technique.name
+|
+[[field-threat-technique-name]]
+<<field-threat-technique-name, threat.technique.name>>
+
 | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
@@ -5651,7 +6578,10 @@ example: `Command and Scripting Interpreter`
 
 // ===============================================================
 
-| threat.technique.reference
+|
+[[field-threat-technique-reference]]
+<<field-threat-technique-reference, threat.technique.reference>>
+
 | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
@@ -5667,7 +6597,10 @@ example: `https://attack.mitre.org/techniques/T1059/`
 
 // ===============================================================
 
-| threat.technique.subtechnique.id
+|
+[[field-threat-technique-subtechnique-id]]
+<<field-threat-technique-subtechnique-id, threat.technique.subtechnique.id>>
+
 | The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
 
 type: keyword
@@ -5683,7 +6616,10 @@ example: `T1059.001`
 
 // ===============================================================
 
-| threat.technique.subtechnique.name
+|
+[[field-threat-technique-subtechnique-name]]
+<<field-threat-technique-subtechnique-name, threat.technique.subtechnique.name>>
+
 | The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
 
 type: keyword
@@ -5705,7 +6641,10 @@ example: `PowerShell`
 
 // ===============================================================
 
-| threat.technique.subtechnique.reference
+|
+[[field-threat-technique-subtechnique-reference]]
+<<field-threat-technique-subtechnique-reference, threat.technique.subtechnique.reference>>
+
 | The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
 
 type: keyword
@@ -5737,7 +6676,10 @@ Fields related to a TLS connection. These fields focus on the TLS protocol itsel
 
 // ===============================================================
 
-| tls.cipher
+|
+[[field-tls-cipher]]
+<<field-tls-cipher, tls.cipher>>
+
 | String indicating the cipher used during the current connection.
 
 type: keyword
@@ -5750,7 +6692,10 @@ example: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
 
 // ===============================================================
 
-| tls.client.certificate
+|
+[[field-tls-client-certificate]]
+<<field-tls-client-certificate, tls.client.certificate>>
+
 | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
 
 type: keyword
@@ -5763,7 +6708,10 @@ example: `MII...`
 
 // ===============================================================
 
-| tls.client.certificate_chain
+|
+[[field-tls-client-certificate-chain]]
+<<field-tls-client-certificate-chain, tls.client.certificate_chain>>
+
 | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
 
 type: keyword
@@ -5779,7 +6727,10 @@ example: `["MII...", "MII..."]`
 
 // ===============================================================
 
-| tls.client.hash.md5
+|
+[[field-tls-client-hash-md5]]
+<<field-tls-client-hash-md5, tls.client.hash.md5>>
+
 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
 
 type: keyword
@@ -5792,7 +6743,10 @@ example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC`
 
 // ===============================================================
 
-| tls.client.hash.sha1
+|
+[[field-tls-client-hash-sha1]]
+<<field-tls-client-hash-sha1, tls.client.hash.sha1>>
+
 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
 
 type: keyword
@@ -5805,7 +6759,10 @@ example: `9E393D93138888D288266C2D915214D1D1CCEB2A`
 
 // ===============================================================
 
-| tls.client.hash.sha256
+|
+[[field-tls-client-hash-sha256]]
+<<field-tls-client-hash-sha256, tls.client.hash.sha256>>
+
 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
 
 type: keyword
@@ -5818,7 +6775,10 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0`
 
 // ===============================================================
 
-| tls.client.issuer
+|
+[[field-tls-client-issuer]]
+<<field-tls-client-issuer, tls.client.issuer>>
+
 | Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
 
 type: keyword
@@ -5831,7 +6791,10 @@ example: `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com`
 
 // ===============================================================
 
-| tls.client.ja3
+|
+[[field-tls-client-ja3]]
+<<field-tls-client-ja3, tls.client.ja3>>
+
 | A hash that identifies clients based on how they perform an SSL/TLS handshake.
 
 type: keyword
@@ -5844,7 +6807,10 @@ example: `d4e5b18d6b55c71272893221c96ba240`
 
 // ===============================================================
 
-| tls.client.not_after
+|
+[[field-tls-client-not-after]]
+<<field-tls-client-not-after, tls.client.not_after>>
+
 | Date/Time indicating when client certificate is no longer considered valid.
 
 type: date
@@ -5857,7 +6823,10 @@ example: `2021-01-01T00:00:00.000Z`
 
 // ===============================================================
 
-| tls.client.not_before
+|
+[[field-tls-client-not-before]]
+<<field-tls-client-not-before, tls.client.not_before>>
+
 | Date/Time indicating when client certificate is first considered valid.
 
 type: date
@@ -5870,7 +6839,10 @@ example: `1970-01-01T00:00:00.000Z`
 
 // ===============================================================
 
-| tls.client.server_name
+|
+[[field-tls-client-server-name]]
+<<field-tls-client-server-name, tls.client.server_name>>
+
 | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
 
 type: keyword
@@ -5883,7 +6855,10 @@ example: `www.elastic.co`
 
 // ===============================================================
 
-| tls.client.subject
+|
+[[field-tls-client-subject]]
+<<field-tls-client-subject, tls.client.subject>>
+
 | Distinguished name of subject of the x.509 certificate presented by the client.
 
 type: keyword
@@ -5896,7 +6871,10 @@ example: `CN=myclient, OU=Documentation Team, DC=example, DC=com`
 
 // ===============================================================
 
-| tls.client.supported_ciphers
+|
+[[field-tls-client-supported-ciphers]]
+<<field-tls-client-supported-ciphers, tls.client.supported_ciphers>>
+
 | Array of ciphers offered by the client during the client hello.
 
 type: keyword
@@ -5912,7 +6890,10 @@ example: `["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_25
 
 // ===============================================================
 
-| tls.curve
+|
+[[field-tls-curve]]
+<<field-tls-curve, tls.curve>>
+
 | String indicating the curve used for the given cipher, when applicable.
 
 type: keyword
@@ -5925,7 +6906,10 @@ example: `secp256r1`
 
 // ===============================================================
 
-| tls.established
+|
+[[field-tls-established]]
+<<field-tls-established, tls.established>>
+
 | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
 
 type: boolean
@@ -5938,7 +6922,10 @@ type: boolean
 
 // ===============================================================
 
-| tls.next_protocol
+|
+[[field-tls-next-protocol]]
+<<field-tls-next-protocol, tls.next_protocol>>
+
 | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.
 
 type: keyword
@@ -5951,7 +6938,10 @@ example: `http/1.1`
 
 // ===============================================================
 
-| tls.resumed
+|
+[[field-tls-resumed]]
+<<field-tls-resumed, tls.resumed>>
+
 | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
 
 type: boolean
@@ -5964,7 +6954,10 @@ type: boolean
 
 // ===============================================================
 
-| tls.server.certificate
+|
+[[field-tls-server-certificate]]
+<<field-tls-server-certificate, tls.server.certificate>>
+
 | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
 
 type: keyword
@@ -5977,7 +6970,10 @@ example: `MII...`
 
 // ===============================================================
 
-| tls.server.certificate_chain
+|
+[[field-tls-server-certificate-chain]]
+<<field-tls-server-certificate-chain, tls.server.certificate_chain>>
+
 | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
 
 type: keyword
@@ -5993,7 +6989,10 @@ example: `["MII...", "MII..."]`
 
 // ===============================================================
 
-| tls.server.hash.md5
+|
+[[field-tls-server-hash-md5]]
+<<field-tls-server-hash-md5, tls.server.hash.md5>>
+
 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
 
 type: keyword
@@ -6006,7 +7005,10 @@ example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC`
 
 // ===============================================================
 
-| tls.server.hash.sha1
+|
+[[field-tls-server-hash-sha1]]
+<<field-tls-server-hash-sha1, tls.server.hash.sha1>>
+
 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
 
 type: keyword
@@ -6019,7 +7021,10 @@ example: `9E393D93138888D288266C2D915214D1D1CCEB2A`
 
 // ===============================================================
 
-| tls.server.hash.sha256
+|
+[[field-tls-server-hash-sha256]]
+<<field-tls-server-hash-sha256, tls.server.hash.sha256>>
+
 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
 
 type: keyword
@@ -6032,7 +7037,10 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0`
 
 // ===============================================================
 
-| tls.server.issuer
+|
+[[field-tls-server-issuer]]
+<<field-tls-server-issuer, tls.server.issuer>>
+
 | Subject of the issuer of the x.509 certificate presented by the server.
 
 type: keyword
@@ -6045,7 +7053,10 @@ example: `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com`
 
 // ===============================================================
 
-| tls.server.ja3s
+|
+[[field-tls-server-ja3s]]
+<<field-tls-server-ja3s, tls.server.ja3s>>
+
 | A hash that identifies servers based on how they perform an SSL/TLS handshake.
 
 type: keyword
@@ -6058,7 +7069,10 @@ example: `394441ab65754e2207b1e1b457b3641d`
 
 // ===============================================================
 
-| tls.server.not_after
+|
+[[field-tls-server-not-after]]
+<<field-tls-server-not-after, tls.server.not_after>>
+
 | Timestamp indicating when server certificate is no longer considered valid.
 
 type: date
@@ -6071,7 +7085,10 @@ example: `2021-01-01T00:00:00.000Z`
 
 // ===============================================================
 
-| tls.server.not_before
+|
+[[field-tls-server-not-before]]
+<<field-tls-server-not-before, tls.server.not_before>>
+
 | Timestamp indicating when server certificate is first considered valid.
 
 type: date
@@ -6084,7 +7101,10 @@ example: `1970-01-01T00:00:00.000Z`
 
 // ===============================================================
 
-| tls.server.subject
+|
+[[field-tls-server-subject]]
+<<field-tls-server-subject, tls.server.subject>>
+
 | Subject of the x.509 certificate presented by the server.
 
 type: keyword
@@ -6097,7 +7117,10 @@ example: `CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com`
 
 // ===============================================================
 
-| tls.version
+|
+[[field-tls-version]]
+<<field-tls-version, tls.version>>
+
 | Numeric part of the version parsed from the original string.
 
 type: keyword
@@ -6110,7 +7133,10 @@ example: `1.2`
 
 // ===============================================================
 
-| tls.version_protocol
+|
+[[field-tls-version-protocol]]
+<<field-tls-version-protocol, tls.version_protocol>>
+
 | Normalized lowercase protocol name parsed from original string.
 
 type: keyword
@@ -6170,7 +7196,10 @@ Distributed tracing makes it possible to analyze performance throughout a micros
 
 // ===============================================================
 
-| span.id
+|
+[[field-span-id]]
+<<field-span-id, span.id>>
+
 | Unique identifier of the span within the scope of its trace.
 
 A span represents an operation within a transaction, such as a request to another service, or a database query.
@@ -6185,7 +7214,10 @@ example: `3ff9a8981b7ccd5a`
 
 // ===============================================================
 
-| trace.id
+|
+[[field-trace-id]]
+<<field-trace-id, trace.id>>
+
 | Unique identifier of the trace.
 
 A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
@@ -6200,7 +7232,10 @@ example: `4bf92f3577b34da6a3ce929d0e0e4736`
 
 // ===============================================================
 
-| transaction.id
+|
+[[field-transaction-id]]
+<<field-transaction-id, transaction.id>>
+
 | Unique identifier of the transaction within the scope of its trace.
 
 A transaction is the highest level of work measured within a service, such as a request to a server.
@@ -6231,7 +7266,10 @@ URL fields provide support for complete or partial URLs, and supports the breaki
 
 // ===============================================================
 
-| url.domain
+|
+[[field-url-domain]]
+<<field-url-domain, url.domain>>
+
 | Domain of the url, such as "www.elastic.co".
 
 In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
@@ -6246,7 +7284,10 @@ example: `www.elastic.co`
 
 // ===============================================================
 
-| url.extension
+|
+[[field-url-extension]]
+<<field-url-extension, url.extension>>
+
 | The field contains the file extension from the original request url, excluding the leading dot.
 
 The file extension is only set if it exists, as not every url has a file extension.
@@ -6265,7 +7306,10 @@ example: `png`
 
 // ===============================================================
 
-| url.fragment
+|
+[[field-url-fragment]]
+<<field-url-fragment, url.fragment>>
+
 | Portion of the url after the `#`, such as "top".
 
 The `#` is not part of the fragment.
@@ -6280,7 +7324,10 @@ type: keyword
 
 // ===============================================================
 
-| url.full
+|
+[[field-url-full]]
+<<field-url-full, url.full>>
+
 | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
 
 type: keyword
@@ -6299,7 +7346,10 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top`
 
 // ===============================================================
 
-| url.original
+|
+[[field-url-original]]
+<<field-url-original, url.original>>
+
 | Unmodified original url as seen in the event source.
 
 Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
@@ -6322,7 +7372,10 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=ela
 
 // ===============================================================
 
-| url.password
+|
+[[field-url-password]]
+<<field-url-password, url.password>>
+
 | Password of the request.
 
 type: keyword
@@ -6335,7 +7388,10 @@ type: keyword
 
 // ===============================================================
 
-| url.path
+|
+[[field-url-path]]
+<<field-url-path, url.path>>
+
 | Path of the request, such as "/search".
 
 type: keyword
@@ -6348,7 +7404,10 @@ type: keyword
 
 // ===============================================================
 
-| url.port
+|
+[[field-url-port]]
+<<field-url-port, url.port>>
+
 | Port of the request, such as 443.
 
 type: long
@@ -6361,7 +7420,10 @@ example: `443`
 
 // ===============================================================
 
-| url.query
+|
+[[field-url-query]]
+<<field-url-query, url.query>>
+
 | The query field describes the query string of the request, such as "q=elasticsearch".
 
 The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
@@ -6376,7 +7438,10 @@ type: keyword
 
 // ===============================================================
 
-| url.registered_domain
+|
+[[field-url-registered-domain]]
+<<field-url-registered-domain, url.registered_domain>>
+
 | The highest registered url domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
@@ -6393,7 +7458,10 @@ example: `example.com`
 
 // ===============================================================
 
-| url.scheme
+|
+[[field-url-scheme]]
+<<field-url-scheme, url.scheme>>
+
 | Scheme of the request, such as "https".
 
 Note: The `:` is not part of the scheme.
@@ -6408,7 +7476,10 @@ example: `https`
 
 // ===============================================================
 
-| url.subdomain
+|
+[[field-url-subdomain]]
+<<field-url-subdomain, url.subdomain>>
+
 | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
 
 For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
@@ -6423,7 +7494,10 @@ example: `east`
 
 // ===============================================================
 
-| url.top_level_domain
+|
+[[field-url-top-level-domain]]
+<<field-url-top-level-domain, url.top_level_domain>>
+
 | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
@@ -6438,7 +7512,10 @@ example: `co.uk`
 
 // ===============================================================
 
-| url.username
+|
+[[field-url-username]]
+<<field-url-username, url.username>>
+
 | Username of the request.
 
 type: keyword
@@ -6469,7 +7546,10 @@ Fields can have one entry or multiple entries. If a user has more than one id, p
 
 // ===============================================================
 
-| user.domain
+|
+[[field-user-domain]]
+<<field-user-domain, user.domain>>
+
 | Name of the directory the user is a member of.
 
 For example, an LDAP or Active Directory domain name.
@@ -6484,7 +7564,10 @@ type: keyword
 
 // ===============================================================
 
-| user.email
+|
+[[field-user-email]]
+<<field-user-email, user.email>>
+
 | User email address.
 
 type: keyword
@@ -6497,7 +7580,10 @@ type: keyword
 
 // ===============================================================
 
-| user.full_name
+|
+[[field-user-full-name]]
+<<field-user-full-name, user.full_name>>
+
 | User's full name, if available.
 
 type: keyword
@@ -6516,7 +7602,10 @@ example: `Albert Einstein`
 
 // ===============================================================
 
-| user.hash
+|
+[[field-user-hash]]
+<<field-user-hash, user.hash>>
+
 | Unique user hash to correlate information for a user in anonymized form.
 
 Useful if `user.id` or `user.name` contain confidential information and cannot be used.
@@ -6531,7 +7620,10 @@ type: keyword
 
 // ===============================================================
 
-| user.id
+|
+[[field-user-id]]
+<<field-user-id, user.id>>
+
 | Unique identifier of the user.
 
 type: keyword
@@ -6544,7 +7636,10 @@ type: keyword
 
 // ===============================================================
 
-| user.name
+|
+[[field-user-name]]
+<<field-user-name, user.name>>
+
 | Short name or login of the user.
 
 type: keyword
@@ -6563,7 +7658,10 @@ example: `albert`
 
 // ===============================================================
 
-| user.roles
+|
+[[field-user-roles]]
+<<field-user-roles, user.roles>>
+
 | Array of user roles at the time of the event.
 
 type: keyword
@@ -6626,7 +7724,10 @@ They often show up in web service logs coming from the parsed user agent string.
 
 // ===============================================================
 
-| user_agent.device.name
+|
+[[field-user-agent-device-name]]
+<<field-user-agent-device-name, user_agent.device.name>>
+
 | Name of the device.
 
 type: keyword
@@ -6639,7 +7740,10 @@ example: `iPhone`
 
 // ===============================================================
 
-| user_agent.name
+|
+[[field-user-agent-name]]
+<<field-user-agent-name, user_agent.name>>
+
 | Name of the user agent.
 
 type: keyword
@@ -6652,7 +7756,10 @@ example: `Safari`
 
 // ===============================================================
 
-| user_agent.original
+|
+[[field-user-agent-original]]
+<<field-user-agent-original, user_agent.original>>
+
 | Unparsed user_agent string.
 
 type: keyword
@@ -6671,7 +7778,10 @@ example: `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605
 
 // ===============================================================
 
-| user_agent.version
+|
+[[field-user-agent-version]]
+<<field-user-agent-version, user_agent.version>>
+
 | Version of the user agent.
 
 type: keyword
@@ -6731,7 +7841,10 @@ Observer.ingress and observer.egress VLAN values are used to record observer spe
 
 // ===============================================================
 
-| vlan.id
+|
+[[field-vlan-id]]
+<<field-vlan-id, vlan.id>>
+
 | VLAN ID as reported by the observer.
 
 type: keyword
@@ -6744,7 +7857,10 @@ example: `10`
 
 // ===============================================================
 
-| vlan.name
+|
+[[field-vlan-name]]
+<<field-vlan-name, vlan.name>>
+
 | Optional VLAN name as reported by the observer.
 
 type: keyword
@@ -6783,7 +7899,10 @@ The vulnerability fields describe information about a vulnerability that is rele
 
 // ===============================================================
 
-| vulnerability.category
+|
+[[field-vulnerability-category]]
+<<field-vulnerability-category, vulnerability.category>>
+
 | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
 
 This field must be an array.
@@ -6801,7 +7920,10 @@ example: `["Firewall"]`
 
 // ===============================================================
 
-| vulnerability.classification
+|
+[[field-vulnerability-classification]]
+<<field-vulnerability-classification, vulnerability.classification>>
+
 | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
 
 type: keyword
@@ -6814,7 +7936,10 @@ example: `CVSS`
 
 // ===============================================================
 
-| vulnerability.description
+|
+[[field-vulnerability-description]]
+<<field-vulnerability-description, vulnerability.description>>
+
 | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])
 
 type: keyword
@@ -6833,7 +7958,10 @@ example: `In macOS before 2.12.6, there is a vulnerability in the RPC...`
 
 // ===============================================================
 
-| vulnerability.enumeration
+|
+[[field-vulnerability-enumeration]]
+<<field-vulnerability-enumeration, vulnerability.enumeration>>
+
 | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
 
 type: keyword
@@ -6846,7 +7974,10 @@ example: `CVE`
 
 // ===============================================================
 
-| vulnerability.id
+|
+[[field-vulnerability-id]]
+<<field-vulnerability-id, vulnerability.id>>
+
 | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
 
 type: keyword
@@ -6859,7 +7990,10 @@ example: `CVE-2019-00001`
 
 // ===============================================================
 
-| vulnerability.reference
+|
+[[field-vulnerability-reference]]
+<<field-vulnerability-reference, vulnerability.reference>>
+
 | A resource that provides additional information, context, and mitigations for the identified vulnerability.
 
 type: keyword
@@ -6872,7 +8006,10 @@ example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111`
 
 // ===============================================================
 
-| vulnerability.report_id
+|
+[[field-vulnerability-report-id]]
+<<field-vulnerability-report-id, vulnerability.report_id>>
+
 | The report or scan identification number.
 
 type: keyword
@@ -6885,7 +8022,10 @@ example: `20191018.0001`
 
 // ===============================================================
 
-| vulnerability.scanner.vendor
+|
+[[field-vulnerability-scanner-vendor]]
+<<field-vulnerability-scanner-vendor, vulnerability.scanner.vendor>>
+
 | The name of the vulnerability scanner vendor.
 
 type: keyword
@@ -6898,7 +8038,10 @@ example: `Tenable`
 
 // ===============================================================
 
-| vulnerability.score.base
+|
+[[field-vulnerability-score-base]]
+<<field-vulnerability-score-base, vulnerability.score.base>>
+
 | Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
 
 Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
@@ -6913,7 +8056,10 @@ example: `5.5`
 
 // ===============================================================
 
-| vulnerability.score.environmental
+|
+[[field-vulnerability-score-environmental]]
+<<field-vulnerability-score-environmental, vulnerability.score.environmental>>
+
 | Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
 
 Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)
@@ -6928,7 +8074,10 @@ example: `5.5`
 
 // ===============================================================
 
-| vulnerability.score.temporal
+|
+[[field-vulnerability-score-temporal]]
+<<field-vulnerability-score-temporal, vulnerability.score.temporal>>
+
 | Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
 
 Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)
@@ -6943,7 +8092,10 @@ type: float
 
 // ===============================================================
 
-| vulnerability.score.version
+|
+[[field-vulnerability-score-version]]
+<<field-vulnerability-score-version, vulnerability.score.version>>
+
 | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
 
 CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
@@ -6958,7 +8110,10 @@ example: `2.0`
 
 // ===============================================================
 
-| vulnerability.severity
+|
+[[field-vulnerability-severity]]
+<<field-vulnerability-severity, vulnerability.severity>>
+
 | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
 
 type: keyword
@@ -6991,7 +8146,10 @@ Events that contain certificate information about network connections, should us
 
 // ===============================================================
 
-| x509.alternative_names
+|
+[[field-x509-alternative-names]]
+<<field-x509-alternative-names, x509.alternative_names>>
+
 | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
 
 type: keyword
@@ -7007,7 +8165,10 @@ example: `*.elastic.co`
 
 // ===============================================================
 
-| x509.issuer.common_name
+|
+[[field-x509-issuer-common-name]]
+<<field-x509-issuer-common-name, x509.issuer.common_name>>
+
 | List of common name (CN) of issuing certificate authority.
 
 type: keyword
@@ -7023,7 +8184,10 @@ example: `Example SHA2 High Assurance Server CA`
 
 // ===============================================================
 
-| x509.issuer.country
+|
+[[field-x509-issuer-country]]
+<<field-x509-issuer-country, x509.issuer.country>>
+
 | List of country (C) codes
 
 type: keyword
@@ -7039,7 +8203,10 @@ example: `US`
 
 // ===============================================================
 
-| x509.issuer.distinguished_name
+|
+[[field-x509-issuer-distinguished-name]]
+<<field-x509-issuer-distinguished-name, x509.issuer.distinguished_name>>
+
 | Distinguished name (DN) of issuing certificate authority.
 
 type: keyword
@@ -7052,7 +8219,10 @@ example: `C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assuranc
 
 // ===============================================================
 
-| x509.issuer.locality
+|
+[[field-x509-issuer-locality]]
+<<field-x509-issuer-locality, x509.issuer.locality>>
+
 | List of locality names (L)
 
 type: keyword
@@ -7068,7 +8238,10 @@ example: `Mountain View`
 
 // ===============================================================
 
-| x509.issuer.organization
+|
+[[field-x509-issuer-organization]]
+<<field-x509-issuer-organization, x509.issuer.organization>>
+
 | List of organizations (O) of issuing certificate authority.
 
 type: keyword
@@ -7084,7 +8257,10 @@ example: `Example Inc`
 
 // ===============================================================
 
-| x509.issuer.organizational_unit
+|
+[[field-x509-issuer-organizational-unit]]
+<<field-x509-issuer-organizational-unit, x509.issuer.organizational_unit>>
+
 | List of organizational units (OU) of issuing certificate authority.
 
 type: keyword
@@ -7100,7 +8276,10 @@ example: `www.example.com`
 
 // ===============================================================
 
-| x509.issuer.state_or_province
+|
+[[field-x509-issuer-state-or-province]]
+<<field-x509-issuer-state-or-province, x509.issuer.state_or_province>>
+
 | List of state or province names (ST, S, or P)
 
 type: keyword
@@ -7116,7 +8295,10 @@ example: `California`
 
 // ===============================================================
 
-| x509.not_after
+|
+[[field-x509-not-after]]
+<<field-x509-not-after, x509.not_after>>
+
 | Time at which the certificate is no longer considered valid.
 
 type: date
@@ -7129,7 +8311,10 @@ example: `2020-07-16 03:15:39+00:00`
 
 // ===============================================================
 
-| x509.not_before
+|
+[[field-x509-not-before]]
+<<field-x509-not-before, x509.not_before>>
+
 | Time at which the certificate is first considered valid.
 
 type: date
@@ -7142,7 +8327,10 @@ example: `2019-08-16 01:40:25+00:00`
 
 // ===============================================================
 
-| x509.public_key_algorithm
+|
+[[field-x509-public-key-algorithm]]
+<<field-x509-public-key-algorithm, x509.public_key_algorithm>>
+
 | Algorithm used to generate the public key.
 
 type: keyword
@@ -7155,7 +8343,10 @@ example: `RSA`
 
 // ===============================================================
 
-| x509.public_key_curve
+|
+[[field-x509-public-key-curve]]
+<<field-x509-public-key-curve, x509.public_key_curve>>
+
 | The curve used by the elliptic curve public key algorithm. This is algorithm specific.
 
 type: keyword
@@ -7168,7 +8359,10 @@ example: `nistp521`
 
 // ===============================================================
 
-| x509.public_key_exponent
+|
+[[field-x509-public-key-exponent]]
+<<field-x509-public-key-exponent, x509.public_key_exponent>>
+
 | Exponent used to derive the public key. This is algorithm specific.
 
 type: long
@@ -7181,7 +8375,10 @@ example: `65537`
 
 // ===============================================================
 
-| x509.public_key_size
+|
+[[field-x509-public-key-size]]
+<<field-x509-public-key-size, x509.public_key_size>>
+
 | The size of the public key space in bits.
 
 type: long
@@ -7194,7 +8391,10 @@ example: `2048`
 
 // ===============================================================
 
-| x509.serial_number
+|
+[[field-x509-serial-number]]
+<<field-x509-serial-number, x509.serial_number>>
+
 | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
 
 type: keyword
@@ -7207,7 +8407,10 @@ example: `55FBB9C7DEBF09809D12CCAA`
 
 // ===============================================================
 
-| x509.signature_algorithm
+|
+[[field-x509-signature-algorithm]]
+<<field-x509-signature-algorithm, x509.signature_algorithm>>
+
 | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
 
 type: keyword
@@ -7220,7 +8423,10 @@ example: `SHA256-RSA`
 
 // ===============================================================
 
-| x509.subject.common_name
+|
+[[field-x509-subject-common-name]]
+<<field-x509-subject-common-name, x509.subject.common_name>>
+
 | List of common names (CN) of subject.
 
 type: keyword
@@ -7236,7 +8442,10 @@ example: `shared.global.example.net`
 
 // ===============================================================
 
-| x509.subject.country
+|
+[[field-x509-subject-country]]
+<<field-x509-subject-country, x509.subject.country>>
+
 | List of country (C) code
 
 type: keyword
@@ -7252,7 +8461,10 @@ example: `US`
 
 // ===============================================================
 
-| x509.subject.distinguished_name
+|
+[[field-x509-subject-distinguished-name]]
+<<field-x509-subject-distinguished-name, x509.subject.distinguished_name>>
+
 | Distinguished name (DN) of the certificate subject entity.
 
 type: keyword
@@ -7265,7 +8477,10 @@ example: `C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.globa
 
 // ===============================================================
 
-| x509.subject.locality
+|
+[[field-x509-subject-locality]]
+<<field-x509-subject-locality, x509.subject.locality>>
+
 | List of locality names (L)
 
 type: keyword
@@ -7281,7 +8496,10 @@ example: `San Francisco`
 
 // ===============================================================
 
-| x509.subject.organization
+|
+[[field-x509-subject-organization]]
+<<field-x509-subject-organization, x509.subject.organization>>
+
 | List of organizations (O) of subject.
 
 type: keyword
@@ -7297,7 +8515,10 @@ example: `Example, Inc.`
 
 // ===============================================================
 
-| x509.subject.organizational_unit
+|
+[[field-x509-subject-organizational-unit]]
+<<field-x509-subject-organizational-unit, x509.subject.organizational_unit>>
+
 | List of organizational units (OU) of subject.
 
 type: keyword
@@ -7313,7 +8534,10 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| x509.subject.state_or_province
+|
+[[field-x509-subject-state-or-province]]
+<<field-x509-subject-state-or-province, x509.subject.state_or_province>>
+
 | List of state or province names (ST, S, or P)
 
 type: keyword
@@ -7329,7 +8553,10 @@ example: `California`
 
 // ===============================================================
 
-| x509.version_number
+|
+[[field-x509-version-number]]
+<<field-x509-version-number, x509.version_number>>
+
 | Version of x509 format.
 
 type: keyword
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 12da870f3a..a53975d700 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1,5 +1,5 @@
 '@timestamp':
-  dashed_name: -timestamp
+  dashed_name: timestamp
   description: 'Date/time when the event originated.
 
     This is the date/time extracted from the event, typically representing when the
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 84f21b05b8..ae2bf5b32c 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -158,7 +158,7 @@ base:
     events. These fields are common across all types of events.
   fields:
     '@timestamp':
-      dashed_name: -timestamp
+      dashed_name: timestamp
       description: 'Date/time when the event originated.
 
         This is the date/time extracted from the event, typically representing when
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index a4b7a0450b..cfee8c876f 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1,5 +1,5 @@
 '@timestamp':
-  dashed_name: -timestamp
+  dashed_name: timestamp
   description: 'Date/time when the event originated.
 
     This is the date/time extracted from the event, typically representing when the
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 72bea8756d..6c05ca5aba 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -160,7 +160,7 @@ base:
     events. These fields are common across all types of events.
   fields:
     '@timestamp':
-      dashed_name: -timestamp
+      dashed_name: timestamp
       description: 'Date/time when the event originated.
 
         This is the date/time extracted from the event, typically representing when
diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py
index d1b4928507..3ae41acf41 100644
--- a/scripts/schema/finalizer.py
+++ b/scripts/schema/finalizer.py
@@ -176,7 +176,7 @@ def field_finalizer(details, path):
     name_array = path + [details['field_details']['node_name']]
     flat_name = '.'.join(name_array)
     details['field_details']['flat_name'] = flat_name
-    details['field_details']['dashed_name'] = re.sub('[@_\.]', '-', flat_name)
+    details['field_details']['dashed_name'] = re.sub('[_\.]', '-', flat_name).replace('@', '')
     if 'multi_fields' in details['field_details']:
         for mf in details['field_details']['multi_fields']:
             mf['flat_name'] = flat_name + '.' + mf['name']
diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2
index 643c2ccf5d..6e606f8783 100644
--- a/scripts/templates/field_details.j2
+++ b/scripts/templates/field_details.j2
@@ -32,7 +32,10 @@ beta::[ {{ fieldset['beta'] }}]
 {% if 'original_fieldset' not in field -%}
 
 {# `Field` column -#}
-| {{ field['flat_name'] }}
+|
+[[field-{{field['dashed_name']}}]]
+<<field-{{field['dashed_name']}}, {{ field['flat_name'] }}>>
+
 {# `Description` column -#}
 {#- Beta fields will add the `beta` label -#}
 {% if field['beta'] -%}
diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py
index cea5c01e6d..7f016351d8 100644
--- a/scripts/tests/unit/test_schema_finalizer.py
+++ b/scripts/tests/unit/test_schema_finalizer.py
@@ -268,7 +268,7 @@ def test_calculate_final_values(self):
         timestamp_details = base_fields['@timestamp']['field_details']
         self.assertEqual(timestamp_details['flat_name'], '@timestamp',
                          "Field sets with root=true must not namespace field names with the field set's name")
-        self.assertEqual(timestamp_details['dashed_name'], '-timestamp')
+        self.assertEqual(timestamp_details['dashed_name'], 'timestamp')
         # root=false
         self.assertEqual(server_fields['ip']['field_details']['flat_name'], 'server.ip',
                          "Field sets with root=false must namespace field names with the field set's name")
@@ -288,7 +288,7 @@ def test_calculate_final_values(self):
     def test_dashed_name_cleanup(self):
         details = {'field_details': {'node_name': '@time.stamp_'}}
         finalizer.field_finalizer(details, [])
-        self.assertEqual(details['field_details']['dashed_name'], '-time-stamp-')
+        self.assertEqual(details['field_details']['dashed_name'], 'time-stamp-')
 
     # field_group_at_path
 

From e27a9487b2b6b8c1717849e02e5fe03cefc640bf Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 2 Dec 2020 16:21:19 -0500
Subject: [PATCH 51/90] [1.x] Tracing fields should be at the root (#1165)

* Add notice to the tracing field set, about not nesting field names. (#1162)
* Tracing fields should be at top level in Beats artifact (#1164)
---
 CHANGELOG.next.md                           |  5 ++
 code/go/ecs/tracing.go                      |  3 +
 docs/field-details.asciidoc                 |  2 +
 experimental/generated/beats/fields.ecs.yml | 61 +++++++++------------
 experimental/generated/ecs/ecs_nested.yml   |  6 +-
 generated/beats/fields.ecs.yml              | 61 +++++++++------------
 generated/ecs/ecs_nested.yml                |  6 +-
 schemas/tracing.yml                         |  7 ++-
 scripts/generators/beats.py                 |  5 ++
 9 files changed, 83 insertions(+), 73 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index f87d61f45f..39dc9a5a05 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -30,6 +30,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164
+
 #### Added
 
 * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
@@ -41,6 +43,9 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Added a notice highlighting that the `tracing` fields are not nested under the
+  namespace `tracing.` #1162
+
 #### Deprecated
 
 
diff --git a/code/go/ecs/tracing.go b/code/go/ecs/tracing.go
index 16e1707065..a0f6b2508d 100644
--- a/code/go/ecs/tracing.go
+++ b/code/go/ecs/tracing.go
@@ -23,6 +23,9 @@ package ecs
 // microservice architecture all in one view. This is accomplished by tracing
 // all of the requests - from the initial web request in the front-end service
 // - to queries made through multiple back-end services.
+// Unlike most field sets in ECS, the tracing fields are *not* nested under the
+// field set name. In other words, the correct field name is `trace.id`, not
+// `tracing.trace.id`, and so on.
 type Tracing struct {
 	// Unique identifier of the trace.
 	// A trace groups multiple events like transactions that belong together.
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 0d41f4462c..eebf2524f2 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -7187,6 +7187,8 @@ example: `tls`
 
 Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.
 
+Unlike most field sets in ECS, the tracing fields are *not* nested under the field set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, and so on.
+
 [discrete]
 ==== Tracing Field Details
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 15f8b78a38..0501a22725 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5212,43 +5212,34 @@
       description: Normalized lowercase protocol name parsed from original string.
       example: tls
       default_field: false
-  - name: tracing
-    title: Tracing
-    group: 2
-    description: Distributed tracing makes it possible to analyze performance throughout
-      a microservice architecture all in one view. This is accomplished by tracing
-      all of the requests - from the initial web request in the front-end service
-      - to queries made through multiple back-end services.
-    type: group
-    fields:
-    - name: span.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the span within the scope of its trace.
-
-        A span represents an operation within a transaction, such as a request to
-        another service, or a database query.'
-      example: 3ff9a8981b7ccd5a
-      default_field: false
-    - name: trace.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the trace.
+  - name: span.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the span within the scope of its trace.
+
+      A span represents an operation within a transaction, such as a request to another
+      service, or a database query.'
+    example: 3ff9a8981b7ccd5a
+    default_field: false
+  - name: trace.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the trace.
 
-        A trace groups multiple events like transactions that belong together. For
-        example, a user request handled by multiple inter-connected services.'
-      example: 4bf92f3577b34da6a3ce929d0e0e4736
-    - name: transaction.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the transaction within the scope of its trace.
+      A trace groups multiple events like transactions that belong together. For example,
+      a user request handled by multiple inter-connected services.'
+    example: 4bf92f3577b34da6a3ce929d0e0e4736
+  - name: transaction.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the transaction within the scope of its trace.
 
-        A transaction is the highest level of work measured within a service, such
-        as a request to a server.'
-      example: 00f067aa0ba902b7
+      A transaction is the highest level of work measured within a service, such as
+      a request to a server.'
+    example: 00f067aa0ba902b7
   - name: url
     title: URL
     group: 2
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index ae2bf5b32c..60deb5c23b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9228,10 +9228,14 @@ tls:
   title: TLS
   type: group
 tracing:
-  description: Distributed tracing makes it possible to analyze performance throughout
+  description: 'Distributed tracing makes it possible to analyze performance throughout
     a microservice architecture all in one view. This is accomplished by tracing all
     of the requests - from the initial web request in the front-end service - to queries
     made through multiple back-end services.
+
+    Unlike most field sets in ECS, the tracing fields are *not* nested under the field
+    set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`,
+    and so on.'
   fields:
     span.id:
       dashed_name: span-id
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index d0f31c1f43..50f344720b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5299,43 +5299,34 @@
       description: Normalized lowercase protocol name parsed from original string.
       example: tls
       default_field: false
-  - name: tracing
-    title: Tracing
-    group: 2
-    description: Distributed tracing makes it possible to analyze performance throughout
-      a microservice architecture all in one view. This is accomplished by tracing
-      all of the requests - from the initial web request in the front-end service
-      - to queries made through multiple back-end services.
-    type: group
-    fields:
-    - name: span.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the span within the scope of its trace.
-
-        A span represents an operation within a transaction, such as a request to
-        another service, or a database query.'
-      example: 3ff9a8981b7ccd5a
-      default_field: false
-    - name: trace.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the trace.
+  - name: span.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the span within the scope of its trace.
+
+      A span represents an operation within a transaction, such as a request to another
+      service, or a database query.'
+    example: 3ff9a8981b7ccd5a
+    default_field: false
+  - name: trace.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the trace.
 
-        A trace groups multiple events like transactions that belong together. For
-        example, a user request handled by multiple inter-connected services.'
-      example: 4bf92f3577b34da6a3ce929d0e0e4736
-    - name: transaction.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the transaction within the scope of its trace.
+      A trace groups multiple events like transactions that belong together. For example,
+      a user request handled by multiple inter-connected services.'
+    example: 4bf92f3577b34da6a3ce929d0e0e4736
+  - name: transaction.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the transaction within the scope of its trace.
 
-        A transaction is the highest level of work measured within a service, such
-        as a request to a server.'
-      example: 00f067aa0ba902b7
+      A transaction is the highest level of work measured within a service, such as
+      a request to a server.'
+    example: 00f067aa0ba902b7
   - name: url
     title: URL
     group: 2
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 6c05ca5aba..f1ee2ecde8 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9316,10 +9316,14 @@ tls:
   title: TLS
   type: group
 tracing:
-  description: Distributed tracing makes it possible to analyze performance throughout
+  description: 'Distributed tracing makes it possible to analyze performance throughout
     a microservice architecture all in one view. This is accomplished by tracing all
     of the requests - from the initial web request in the front-end service - to queries
     made through multiple back-end services.
+
+    Unlike most field sets in ECS, the tracing fields are *not* nested under the field
+    set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`,
+    and so on.'
   fields:
     span.id:
       dashed_name: span-id
diff --git a/schemas/tracing.yml b/schemas/tracing.yml
index fc44bd4e53..8e23514e3d 100644
--- a/schemas/tracing.yml
+++ b/schemas/tracing.yml
@@ -6,7 +6,12 @@
   short: Fields related to distributed tracing.
   description: >
     Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view.
-    This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.
+    This is accomplished by tracing all of the requests - from the initial web
+    request in the front-end service - to queries made through multiple back-end services.
+
+    Unlike most field sets in ECS, the tracing fields are *not* nested under the
+    field set name. In other words, the correct field name is `trace.id`,
+    not `tracing.trace.id`, and so on.
   type: group
   fields:
     - name: trace.id
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index 0d182b40db..fa8904c058 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -17,6 +17,11 @@ def generate(ecs_nested, ecs_version, out_dir):
             continue
         fieldset = ecs_nested[fieldset_name]
 
+        # Handle when `root:true`
+        if fieldset.get('root', False):
+            beats_fields.extend(fieldset_field_array(fieldset['fields'], df_whitelist, fieldset['prefix']))
+            continue
+
         beats_field = ecs_helpers.dict_copy_keys_ordered(fieldset, allowed_fieldset_keys)
         beats_field['fields'] = fieldset_field_array(fieldset['fields'], df_whitelist, fieldset['prefix'])
         beats_fields.append(beats_field)

From 14c84c04428bf83be98d428b716b2fc33e5d2bcc Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 3 Dec 2020 10:40:42 -0600
Subject: [PATCH 52/90] [1.x] Usage of brackets for a URL containing IPv6
 address (#1131) (#1168)

---
 CHANGELOG.next.md                           | 2 ++
 code/go/ecs/url.go                          | 3 +++
 docs/field-details.asciidoc                 | 2 ++
 experimental/generated/beats/fields.ecs.yml | 6 +++++-
 experimental/generated/ecs/ecs_flat.yml     | 5 ++++-
 experimental/generated/ecs/ecs_nested.yml   | 6 +++++-
 generated/beats/fields.ecs.yml              | 6 +++++-
 generated/ecs/ecs_flat.yml                  | 5 ++++-
 generated/ecs/ecs_nested.yml                | 6 +++++-
 schemas/url.yml                             | 3 +++
 10 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 39dc9a5a05..9f8ac783ad 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -22,6 +22,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131
+
 #### Deprecated
 
 ### Tooling and Artifact Changes
diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go
index ec00f75914..d9a05e4a81 100644
--- a/code/go/ecs/url.go
+++ b/code/go/ecs/url.go
@@ -42,6 +42,9 @@ type Url struct {
 	// In some cases a URL may refer to an IP and/or port directly, without a
 	// domain name. In this case, the IP address would go to the `domain`
 	// field.
+	// If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF
+	// RFC 2732), the `[` and `]` characters should also be captured in the
+	// `domain` field.
 	Domain string `ecs:"domain"`
 
 	// The highest registered url domain, stripped of the subdomain.
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index eebf2524f2..87a98e4e21 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -7276,6 +7276,8 @@ URL fields provide support for complete or partial URLs, and supports the breaki
 
 In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
 
+If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
 type: keyword
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 0501a22725..16c38aefca 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5253,7 +5253,11 @@
       description: 'Domain of the url, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.'
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
       example: www.elastic.co
     - name: extension
       level: extended
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index a53975d700..255173741f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8027,7 +8027,10 @@ url.domain:
   description: 'Domain of the url, such as "www.elastic.co".
 
     In some cases a URL may refer to an IP and/or port directly, without a domain
-    name. In this case, the IP address would go to the `domain` field.'
+    name. In this case, the IP address would go to the `domain` field.
+
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732),
+    the `[` and `]` characters should also be captured in the `domain` field.'
   example: www.elastic.co
   flat_name: url.domain
   level: extended
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 60deb5c23b..85be996c31 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9295,7 +9295,11 @@ url:
       description: 'Domain of the url, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.'
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
       example: www.elastic.co
       flat_name: url.domain
       level: extended
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 50f344720b..223cc8f130 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5341,7 +5341,11 @@
       description: 'Domain of the url, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.'
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
       example: www.elastic.co
     - name: extension
       level: extended
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index cfee8c876f..8ddc706a5a 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8110,7 +8110,10 @@ url.domain:
   description: 'Domain of the url, such as "www.elastic.co".
 
     In some cases a URL may refer to an IP and/or port directly, without a domain
-    name. In this case, the IP address would go to the `domain` field.'
+    name. In this case, the IP address would go to the `domain` field.
+
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732),
+    the `[` and `]` characters should also be captured in the `domain` field.'
   example: www.elastic.co
   flat_name: url.domain
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index f1ee2ecde8..c00c9c5173 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9383,7 +9383,11 @@ url:
       description: 'Domain of the url, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.'
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
       example: www.elastic.co
       flat_name: url.domain
       ignore_above: 1024
diff --git a/schemas/url.yml b/schemas/url.yml
index 0253f316e8..88a0278891 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -58,6 +58,9 @@
 
         In some cases a URL may refer to an IP and/or port directly, without a
         domain name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732),
+        the `[` and `]` characters should also be captured in the `domain` field.
       example: www.elastic.co
 
     - name: registered_domain

From ae5568c70aca40a83885cb6f7c4c6c1173ff8177 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 7 Dec 2020 11:30:12 -0600
Subject: [PATCH 53/90] [1.x] 6.x index template data type fallback (#1171)
 (#1172)

---
 CHANGELOG.next.md                 |  1 +
 scripts/generators/es_template.py | 25 +++++++++++-
 scripts/tests/test_es_template.py | 65 +++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9f8ac783ad..df39066ed8 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -47,6 +47,7 @@ Thanks, you're awesome :-) -->
 
 * Added a notice highlighting that the `tracing` fields are not nested under the
   namespace `tracing.` #1162
+* ES 6.x template data types will fallback to supported types. #1171
 
 #### Deprecated
 
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 086d5246b9..bb56356a5a 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -4,6 +4,8 @@
 
 from os.path import join
 from generators import ecs_helpers
+from schema.cleaner import field_or_multi_field_datatype_defaults
+from schema.oss import TYPE_FALLBACKS
 
 
 def generate(ecs_flat, ecs_version, out_dir, template_settings_file, mapping_settings_file):
@@ -93,7 +95,9 @@ def generate_template_version(elasticsearch_version, mappings_section, out_dir,
     else:
         template = default_template_settings()
     if elasticsearch_version == 6:
-        template['mappings'] = {'_doc': mappings_section}
+        es6_mappings_section = copy.deepcopy(mappings_section)
+        es6_type_fallback(es6_mappings_section['properties'])
+        template['mappings'] = {'_doc': es6_mappings_section}
     else:
         template['mappings'] = mappings_section
 
@@ -144,3 +148,22 @@ def default_mapping_settings(ecs_version):
         ],
         "properties": {}
     }
+
+
+def es6_type_fallback(mappings):
+    '''
+    Visits each leaf in mappings object and fallback to an
+    Elasticsearch 6.x supported type.
+
+    Since a field like `wildcard` won't have the same defaults as
+    a `keyword` field, we must add any missing defaults.
+    '''
+
+    for (name, details) in mappings.items():
+        if 'type' in details:
+            fallback_type = TYPE_FALLBACKS.get(details['type'])
+            if fallback_type:
+                mappings[name]['type'] = fallback_type
+                field_or_multi_field_datatype_defaults(mappings[name])
+        if 'properties' in details:
+            es6_type_fallback(details['properties'])
diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py
index 43ee4d276f..50142e4ff6 100644
--- a/scripts/tests/test_es_template.py
+++ b/scripts/tests/test_es_template.py
@@ -157,6 +157,71 @@ def test_constant_keyword_no_value(self):
         exp = {'type': 'constant_keyword'}
         self.assertEqual(es_template.entry_for(test_map), exp)
 
+    def test_es6_fallback_base_case_wildcard(self):
+        test_map = {
+            "field": {
+                "name": "field",
+                "type": "wildcard"
+            }
+        }
+
+        exp = {
+            "field": {
+                "name": "field",
+                "type": "keyword",
+                "ignore_above": 1024
+            }
+        }
+
+        es_template.es6_type_fallback(test_map)
+        self.assertEqual(test_map, exp)
+
+    def test_es6_fallback_recursive_case_wildcard(self):
+        test_map = {
+            "top_field": {
+                "properties": {
+                    "field": {
+                        "name": "field",
+                        "type": "wildcard"
+                    }
+                }
+            }
+        }
+
+        exp = {
+            "top_field": {
+                "properties": {
+                    "field": {
+                        "name": "field",
+                        "type": "keyword",
+                        "ignore_above": 1024
+                    }
+                }
+            }
+        }
+
+        es_template.es6_type_fallback(test_map)
+        self.assertEqual(test_map, exp)
+
+    def test_es6_fallback_base_case_constant_keyword(self):
+        test_map = {
+            "field": {
+                "name": "field",
+                "type": "constant_keyword"
+            }
+        }
+
+        exp = {
+            "field": {
+                "name": "field",
+                "type": "keyword",
+                "ignore_above": 1024
+            }
+        }
+
+        es_template.es6_type_fallback(test_map)
+        self.assertEqual(test_map, exp)
+
 
 if __name__ == '__main__':
     unittest.main()

From 48e1ddc6424a7fb821ce14bed4f7076a8b1c70ed Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 7 Dec 2020 14:53:31 -0500
Subject: [PATCH 54/90] [1.x] Apply RFC 0007 stage 3 changes - multi-user
 (#1066) (#1175)

Conflict: deleted file rfcs/text/0007-multiple-users.md as RFCs are not backported to version branches.
---
 CHANGELOG.next.md                         |   4 +
 docs/field-details.asciidoc               |  31 +-
 docs/usage/user.asciidoc                  | 430 ++++++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml |  12 +-
 experimental/schemas/user.yml             |   8 -
 generated/beats/fields.ecs.yml            | 237 ++++++++++++
 generated/csv/fields.csv                  |  36 ++
 generated/ecs/ecs_flat.yml                | 396 ++++++++++++++++++++
 generated/ecs/ecs_nested.yml              | 423 +++++++++++++++++++++
 generated/elasticsearch/6/template.json   | 180 +++++++++
 generated/elasticsearch/7/template.json   | 180 +++++++++
 schemas/user.yml                          |   9 +
 12 files changed, 1934 insertions(+), 12 deletions(-)
 create mode 100644 docs/usage/user.asciidoc

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index df39066ed8..2488a956e5 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->
 
 * Added `event.category` "registry". #1040
 * Added `event.category` "session". #1049
+* Added usage documentation for `user` fields. #1066
+* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066
 * Added `os.type`. #1111
 
 #### Improvements
@@ -26,6 +28,8 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
+* Deprecated `host.user.*` fields for removal at the next major. #1066
+
 ### Tooling and Artifact Changes
 
 #### Breaking changes
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 87a98e4e21..7bfc74e85a 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -7541,6 +7541,10 @@ The user fields describe information about the user that is relevant to the even
 
 Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
 
+Find additional usage and examples in the user fields <<ecs-user-usage,usage>> section.
+
+
+
 [discrete]
 ==== User Field Details
 
@@ -7686,7 +7690,7 @@ example: `["kibana_admin", "reporting_user"]`
 [discrete]
 ==== Field Reuse
 
-The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`.
+The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`, `user.changes`, `user.effective`, `user.target`.
 
 Note also that the `user` fields may be used directly at the root of the events.
 
@@ -7704,14 +7708,39 @@ Note also that the `user` fields may be used directly at the root of the events.
 // ===============================================================
 
 
+| <<ecs-user,user.changes.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
+
+Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
+| <<ecs-user,user.effective.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
+
+Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
 | <<ecs-group,user.group.*>>
 | User's group relevant to the event.
 
 // ===============================================================
 
 
+| <<ecs-user,user.target.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
+
+Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
 |=====
 
+
+
+include::usage/user.asciidoc[]
+
 [[ecs-user_agent]]
 === User agent Fields
 
diff --git a/docs/usage/user.asciidoc b/docs/usage/user.asciidoc
new file mode 100644
index 0000000000..f1a7452af9
--- /dev/null
+++ b/docs/usage/user.asciidoc
@@ -0,0 +1,430 @@
+[[ecs-user-usage]]
+==== Usage
+
+Here are the subjects covered in this page.
+
+* <<ecs-user-usage-categorization>>
+* <<ecs-user-identifiers>>
+
+* <<ecs-user-usage-field-reuse>>, or all places user fields can appear
+** <<ecs-user-usage-user-at-root>>
+** <<ecs-user-usage-remote-logons>>
+** <<ecs-user-usage-privilege-changes>>
+** <<ecs-user-usage-iam>>
+** <<ecs-user-usage-combining>>
+** <<ecs-user-usage-reuse-subtleties>>
+
+* <<ecs-user-usage-pivoting>>
+
+* <<ecs-user-usage-mappings>>
+
+* <<ecs-user-usage-deprecations>>
+
+[discrete]
+[[ecs-user-usage-categorization]]
+===== Categorization
+
+User fields can be present in any kind of event, without affecting the event's
+categorization.
+
+However when the event is about IAM (Identity and Account Management),
+it should be categorized as follows. In this section we'll cover specifically
+`event.category` and `event.type` with regards to IAM activity. Make sure to read
+the <<ecs-category-field-values-reference, Categorization section>> to see all allowed
+values, and read more about `event.kind` and `event.outcome`.
+
+NOTE: IAM activity is a bit particular in that events are expected to be assigned 2 event types.
+One of them indicates the type of activity (creation, deletion, change, etc.),
+and the other indicates whether a user or a group is the target of the management activity.
+
+Many sections of the examples below are elided, in order to focus on the categorization
+of the events.
+
+Creation of group "test-group":
+
+```JSON
+{
+  "event": {
+    "kind": "event",
+    "category": ["iam"], <1>
+    "type": ["group", "creation"], <2>
+    "outcome": "success"
+  },
+  "group": { "name": "test-group", ... },
+  "user": { ... },
+  "related": { "user": [ ... ] }
+}
+```
+<1> Category "iam"
+<2> Both relevant event types to a group creation
+
+Adding "test-user" to "test-group":
+
+```JSON
+{
+  "event": {
+    "kind": "event",
+    "category": ["iam"], <1>
+    "type": ["user", "change"], <2>
+    "action": "user added to group", <3>
+    "outcome": "success"
+  },
+  "user": {
+    ...
+    "target": { <4>
+      "name": "test-user",
+      "group": { "name": "test-group" }
+    }
+  },
+  "related": { "user": [ ... ] }
+}
+```
+<1> Category "iam"
+<2> Both relevant event types to a user modification
+<3> `event.action` is not a categorization field, and has no mandated value. It can be populated based on source event details or by a pipeline, to ensure the event captures all subtleties of what's happening.
+<4> How to use all possible user fields is detailed below.
+
+[discrete]
+[[ecs-user-identifiers]]
+===== User identifiers
+
+Different systems use different values for user identifiers. Here are a few pointers
+to help normalize some simple cases.
+
+* When a system provides a composite value for the user name (e.g. DOMAINNAME\username),
+  capture the domain name in `user.domain` and the user name (without the domain) in `user.name`.
+* When a system uses an email address as the main identifier, populate both
+  `user.id` and `user.email` with it.
+
+[discrete]
+[[ecs-user-usage-field-reuse]]
+===== Field reuse
+
+The user fields can be reused (or appear) in many places across ECS. This makes
+it possible to capture many users relevant to a single event.
+
+Here's the full list of places where the user fields can appear:
+
+* `user.*`
+* `user.effective.*`
+* `user.target.*`
+* `user.changes.*`
+* `source.user.*`
+* `destination.user.*`
+* `client.user.*`
+* `server.user.*`
+* `host.user.*` (<<ecs-user-usage-deprecations,deprecated>>)
+
+Let's go over the meaning of each.
+
+The examples below will only populate `user.name` and sometimes `user.id` inside
+the various `user` nestings, for readability.
+However in implementations, unless otherwise noted, all `user` fields that can
+reasonably be populated in each location should be populated.
+
+[discrete]
+[[ecs-user-usage-user-at-root]]
+====== User fields at the Root of an Event
+
+The user fields at the root of an event are used to capture the user
+performing the main action described by the event. This is especially important
+when there's more than one user present on the event. `user.*` fields at the root
+of the event represent the user performing the action.
+
+In many cases, events that only mention one user should populate the user fields
+at the root of the event, even if the user is not the one performing the action.
+
+In cases where a purpose-specific user field such as `url.username` is populated,
+`user.name` should also be populated with the same user name.
+
+[source,json]
+-----------
+{
+  "url": { "username": "alice" }, <1>
+  "user": { "name": "alice" }, <2>
+  "related": { "user": ["alice"] }
+}
+-----------
+<1> Purpose-specific username field
+<2> Username copied to `user.name` to establish `user.name` as a reliable baseline.
+
+[discrete]
+[[ecs-user-usage-remote-logons]]
+====== Remote Logons
+
+When users are crossing host boundaries, the users are captured at
+`source.user` and `destination.user`.
+
+Examples of data sources where this is applicable:
+
+* Remote logons via ssh, kerberos
+* Firewalls observing network traffic
+
+In order to align with ECS' design of having `user` at the root of the event as the
+user performing the action, all `source.user` fields should be copied to `user` at the root.
+
+Here's an example where user "alice" logs on to another host as user "deus":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice"
+  },
+  "source": {
+    "user": {
+      "name": "alice"
+    },
+    "ip": "10.42.42.42"
+  },
+  "destination": {
+    "user": {
+      "name": "deus"
+    },
+    "ip": "10.42.42.43"
+  },
+  "related": { "user": ["alice", "deus"] }
+}
+-----------
+
+Whenever an event source populates the `client` and `server` fields in addition
+to `source` and `destination`, the user fields should be copied accordingly as well.
+You can review <<ecs-mapping-network-events>> to learn more about
+mapping network events.
+
+[discrete]
+[[ecs-user-usage-privilege-changes]]
+====== Privilege Changes
+
+The `user.effective` fields are relevant when there's a privilege escalation or demotion
+and it's possible to determine the user requesting/performing the escalation.
+
+Use the `user` fields at the root to capture who is requesting the privilege change,
+and `user.effective` to capture the requested privilege level, whether or not the
+privilege change was successful.
+
+Here are examples where this is applicable:
+
+* A user changing identity on a host.
+** Examples: sudo, su, Run as.
+* Running a program as a different user. Examples:
+** A trusted user runs a specific admin command as root via a mechanism such as the Posix setuid/setgid.
+** A service manager with administrator privileges starts child processes as limited
+    users, for security purposes (e.g. root runs Apache HTTPD as user "apache")
+
+In cases where the event source only gives information about the effective user
+and not who requested different privileges, the `user` fields at the root of the
+event should be used instead of `user.effective`.
+
+Here's an example of user "alice" running a command as root via sudo:
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice",
+    "id": "1001",
+    "effective": {
+      "name": "root",
+      "id": "1"
+    }
+  },
+  "related": { "user": ["alice", "root"] }
+}
+-----------
+
+When it's not possible (or it's prohibitive) to determine which user is requesting
+different privilege levels, it's acceptable to capture the effective user at the
+root of the event. Typically a privilege change event will already have happened,
+for example: bob "su" as root; and subsequent events will show the root user
+performing the actions.
+
+[discrete]
+[[ecs-user-usage-iam]]
+====== Identity and Access Management
+
+Whenever a user is performing an action that affects another user -- typically
+in IAM scenarios -- the user affected by the action is captured at
+`user.target`. The user performing the IAM activity is captured at the root
+of the event.
+
+Examples of IAM activity include:
+
+* user-a creates or deletes user-b
+* user-a modifies user-b
+
+In the create/delete scenarios, there's either no prior state (user creation)
+or no post state (user deletion). In these cases, only `user` at the root and
+`user.target` must be populated.
+
+Example where "root" creates user "bob":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "root",
+    "id": "1",
+    "target": {
+      "name": "bob",
+      "id": "1002",
+      ...
+    }
+  }
+  "related": { "user": ["bob", "root"] }
+}
+-----------
+
+When there's a change of state to an existing user, `user.target` must be used
+to capture the prior state of the user, and `user.changes` should list only
+the changes that were performed.
+
+Example where "root" renames user "bob" to "bob.barker":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "root",
+    "id": "1",
+    "target": {
+      "name": "bob",
+      "id": "1002"
+    },
+    "changes": {
+      "name": "bob.barker"
+    }
+  },
+  "related": { "user": ["bob", "bob.barker", "root"] }
+}
+-----------
+
+You'll note in the example above that unmodified attributes like the user ID are
+not repeated under `user.changes.*`, since they didn't change.
+
+[discrete]
+[[ecs-user-usage-combining]]
+====== Combining IAM and Privilege Change
+
+We've covered above how `user.target` and `user.changes` can be used at the same time.
+If privilege escalation is also present in the same IAM event, `user.effective`
+should of course be used as well.
+
+Here's the "rename" example from the IAM section above. In the following example,
+we know "alice" is escalating privileges to "root", in order to modify user "bob":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice",
+    "id": "1001",
+    "effective": {
+      "name": "root",
+      "id": "1"
+    },
+    "target": {
+      "name": "bob",
+      "id": "1002"
+    },
+    "changes": {
+      "name": "bob.barker"
+    }
+  },
+  "related": { "user": ["alice", "bob", "bob.barker", "root"] }
+}
+-----------
+
+[discrete]
+[[ecs-user-usage-reuse-subtleties]]
+====== Subtleties around field reuse
+
+Most cases of field reuse in ECS are reusing a field set inside a different field set.
+Two examples of this are:
+
+* reusing `group` in `user`, resulting in the `user.group.*` fields, or
+* reusing `user` in `destination`, resulting in the `destination.user.*` fields,
+  which also include `destination.user.group.*`.
+
+The `user` fields can also be reused within `user` as different names,
+representing the role of each relevant user. Examples are the `user.target.*` or `user.effective.*` fields.
+
+However, it's important to note that `user` fields reused within
+`user` are _not carried around anywhere else_.
+Let's illustrate the various permutations of what's valid and what is not.
+
+[options="header"]
+|=====
+| Field  | Validity | Notes
+
+| `user.group.*` | Valid | Normal reuse.
+| `destination.user.group.*` | Valid | The `group` reuse gets carried around when `user` is reused elsewhere.
+Populate only if relevant to the event.
+
+| `user.target.group.*`, `user.effective.group.*`, `user.changes.group.*`
+| Valid
+| The `group` reuse gets carried around even when `user` is reused within itself.
+Populate only if relevant to the event.
+
+| `destination.user.target.*`, `destination.user.effective.*`, `destination.user.changes.*`
+| *Invalid*
+| The `user` fields reused within `user` are not carried around anywhere else.
+The same rule applies when `user` is reused under `source`, `client` and `server`.
+
+|=====
+
+
+[discrete]
+[[ecs-user-usage-pivoting]]
+===== Pivoting via related.user
+
+In all events in this page, we've populated the `related.user` fields.
+
+Any event that has users in it should always populate the array field `related.user`
+with all usernames seen in the event; including event names that appear in custom fields.
+Note that this field is not a nesting of all user fields,
+it's a flat array meant to contain user identifiers.
+
+Taking the example from `user.changes` again, we can see that no matter the role
+of the each user (before/after privilege escalation, affected user, username after rename), they are all present in `related.user`:
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice",
+    "id": "1001",
+    "effective": {
+      "name": "root",
+      "id": "1"
+    },
+    "target": {
+      "name": "bob",
+      "id": "1002"
+    },
+    "changes": {
+      "name": "bob.barker"
+    }
+  },
+  "related": { "user": ["alice", "root", "bob", "bob.barker"] }
+}
+-----------
+
+Like the other fields in the <<ecs-related,related>> field set, `related.user` is meant to facilitate
+pivoting. For example, if you have a suspicion about user "bob.barker", searching
+for this name in `related.user` will give you all events related to this user, whether
+it's the creation / rename of the user, or events where this user was active in a system.
+
+[discrete]
+[[ecs-user-usage-mappings]]
+===== Mapping Examples
+
+For examples of mapping events from various sources, you can look at
+https://github.com/elastic/ecs/blob/master/rfcs/text/0007-multiple-users.md#source-data[RFC 0007 in section Source Data].
+
+[discrete]
+[[ecs-user-usage-deprecations]]
+===== Deprecations
+
+As of ECS 1.8, `host.user.*` fields are deprecated and will be removed at the next
+major version of ECS.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 85be996c31..5072c1b3de 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10045,25 +10045,31 @@ user:
       full: source.user
     - as: target
       at: user
+      beta: Reusing the user fields in this location is currently considered beta.
       full: user.target
     - as: effective
       at: user
+      beta: Reusing the user fields in this location is currently considered beta.
       full: user.effective
     - as: changes
       at: user
+      beta: Reusing the user fields in this location is currently considered beta.
       full: user.changes
     top_level: true
   reused_here:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
-  - full: user.target
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.target
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - full: user.effective
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.effective
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - full: user.changes
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.changes
     schema_name: user
     short: Fields to describe the user relevant to the event.
   short: Fields to describe the user relevant to the event.
diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml
index b2af27d5ab..89e182fbee 100644
--- a/experimental/schemas/user.yml
+++ b/experimental/schemas/user.yml
@@ -7,11 +7,3 @@
       type: wildcard
     - name: email
       type: wildcard
-  reusable:
-    expected:
-      - at: user
-        as: target
-      - at: user
-        as: effective
-      - at: user
-        as: changes
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 223cc8f130..1caa603979 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5486,6 +5486,85 @@
       provide an array that includes all of them.'
     type: group
     fields:
+    - name: changes.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: changes.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: changes.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: changes.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: changes.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: changes.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: changes.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: changes.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: domain
       level: extended
       type: keyword
@@ -5493,6 +5572,85 @@
       description: 'Name of the directory the user is a member of.
 
         For example, an LDAP or Active Directory domain name.'
+    - name: effective.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: effective.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: effective.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: effective.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: effective.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: effective.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: effective.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: effective.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: email
       level: extended
       type: keyword
@@ -5558,6 +5716,85 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    - name: target.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: target.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: target.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: target.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: target.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: target.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: target.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: target.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: user_agent
     title: User agent
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index a8fc2c7e04..cd996051dc 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -646,7 +646,31 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+1.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+1.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,user,user.email,keyword,extended,,,User email address.
 1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
@@ -658,6 +682,18 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+1.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.8.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
 1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8ddc706a5a..90d2496342 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8314,6 +8314,138 @@ url.username:
   normalize: []
   short: Username of the request.
   type: keyword
+user.changes.domain:
+  dashed_name: user-changes-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.changes.email:
+  dashed_name: user-changes-email
+  description: User email address.
+  flat_name: user.changes.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.changes.full_name:
+  dashed_name: user-changes-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.changes.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.changes.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+user.changes.group.domain:
+  dashed_name: user-changes-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.changes.group.id:
+  dashed_name: user-changes-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.changes.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.changes.group.name:
+  dashed_name: user-changes-group-name
+  description: Name of the group.
+  flat_name: user.changes.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.changes.hash:
+  dashed_name: user-changes-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.changes.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.changes.id:
+  dashed_name: user-changes-id
+  description: Unique identifier of the user.
+  flat_name: user.changes.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.changes.name:
+  dashed_name: user-changes-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.changes.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.changes.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+user.changes.roles:
+  dashed_name: user-changes-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.changes.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 user.domain:
   dashed_name: user-domain
   description: 'Name of the directory the user is a member of.
@@ -8326,6 +8458,138 @@ user.domain:
   normalize: []
   short: Name of the directory the user is a member of.
   type: keyword
+user.effective.domain:
+  dashed_name: user-effective-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.effective.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.effective.email:
+  dashed_name: user-effective-email
+  description: User email address.
+  flat_name: user.effective.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.effective.full_name:
+  dashed_name: user-effective-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.effective.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.effective.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+user.effective.group.domain:
+  dashed_name: user-effective-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.effective.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.effective.group.id:
+  dashed_name: user-effective-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.effective.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.effective.group.name:
+  dashed_name: user-effective-group-name
+  description: Name of the group.
+  flat_name: user.effective.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.effective.hash:
+  dashed_name: user-effective-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.effective.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.effective.id:
+  dashed_name: user-effective-id
+  description: Unique identifier of the user.
+  flat_name: user.effective.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.effective.name:
+  dashed_name: user-effective-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.effective.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.effective.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+user.effective.roles:
+  dashed_name: user-effective-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.effective.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 user.email:
   dashed_name: user-email
   description: User email address.
@@ -8439,6 +8703,138 @@ user.roles:
   - array
   short: Array of user roles at the time of the event.
   type: keyword
+user.target.domain:
+  dashed_name: user-target-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.target.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.target.email:
+  dashed_name: user-target-email
+  description: User email address.
+  flat_name: user.target.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.target.full_name:
+  dashed_name: user-target-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.target.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.target.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+user.target.group.domain:
+  dashed_name: user-target-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.target.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.target.group.id:
+  dashed_name: user-target-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.target.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.target.group.name:
+  dashed_name: user-target-group-name
+  description: Name of the group.
+  flat_name: user.target.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.target.hash:
+  dashed_name: user-target-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.target.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.target.id:
+  dashed_name: user-target-id
+  description: Unique identifier of the user.
+  flat_name: user.target.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.target.name:
+  dashed_name: user-target-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.target.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.target.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+user.target.roles:
+  dashed_name: user-target-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.target.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 user_agent.device.name:
   dashed_name: user-agent-device-name
   description: Name of the device.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index c00c9c5173..eaa283a9a0 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9602,6 +9602,138 @@ user:
     Fields can have one entry or multiple entries. If a user has more than one id,
     provide an array that includes all of them.'
   fields:
+    user.changes.domain:
+      dashed_name: user-changes-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.changes.email:
+      dashed_name: user-changes-email
+      description: User email address.
+      flat_name: user.changes.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.changes.full_name:
+      dashed_name: user-changes-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.changes.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.changes.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    user.changes.group.domain:
+      dashed_name: user-changes-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.changes.group.id:
+      dashed_name: user-changes-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.changes.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.changes.group.name:
+      dashed_name: user-changes-group-name
+      description: Name of the group.
+      flat_name: user.changes.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.changes.hash:
+      dashed_name: user-changes-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.changes.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.changes.id:
+      dashed_name: user-changes-id
+      description: Unique identifier of the user.
+      flat_name: user.changes.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.changes.name:
+      dashed_name: user-changes-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.changes.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.changes.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    user.changes.roles:
+      dashed_name: user-changes-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.changes.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
     user.domain:
       dashed_name: user-domain
       description: 'Name of the directory the user is a member of.
@@ -9614,6 +9746,138 @@ user:
       normalize: []
       short: Name of the directory the user is a member of.
       type: keyword
+    user.effective.domain:
+      dashed_name: user-effective-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.effective.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.effective.email:
+      dashed_name: user-effective-email
+      description: User email address.
+      flat_name: user.effective.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.effective.full_name:
+      dashed_name: user-effective-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.effective.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.effective.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    user.effective.group.domain:
+      dashed_name: user-effective-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.effective.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.effective.group.id:
+      dashed_name: user-effective-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.effective.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.effective.group.name:
+      dashed_name: user-effective-group-name
+      description: Name of the group.
+      flat_name: user.effective.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.effective.hash:
+      dashed_name: user-effective-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.effective.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.effective.id:
+      dashed_name: user-effective-id
+      description: Unique identifier of the user.
+      flat_name: user.effective.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.effective.name:
+      dashed_name: user-effective-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.effective.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.effective.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    user.effective.roles:
+      dashed_name: user-effective-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.effective.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
     user.email:
       dashed_name: user-email
       description: User email address.
@@ -9727,10 +9991,145 @@ user:
       - array
       short: Array of user roles at the time of the event.
       type: keyword
+    user.target.domain:
+      dashed_name: user-target-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.target.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.target.email:
+      dashed_name: user-target-email
+      description: User email address.
+      flat_name: user.target.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.target.full_name:
+      dashed_name: user-target-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.target.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.target.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    user.target.group.domain:
+      dashed_name: user-target-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.target.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.target.group.id:
+      dashed_name: user-target-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.target.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.target.group.name:
+      dashed_name: user-target-group-name
+      description: Name of the group.
+      flat_name: user.target.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.target.hash:
+      dashed_name: user-target-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.target.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.target.id:
+      dashed_name: user-target-id
+      description: Unique identifier of the user.
+      flat_name: user.target.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.target.name:
+      dashed_name: user-target-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.target.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.target.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    user.target.roles:
+      dashed_name: user-target-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.target.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
   group: 2
   name: user
   nestings:
+  - user.changes
+  - user.effective
   - user.group
+  - user.target
   prefix: user.
   reusable:
     expected:
@@ -9749,11 +10148,35 @@ user:
     - as: user
       at: source
       full: source.user
+    - as: target
+      at: user
+      beta: Reusing the user fields in this location is currently considered beta.
+      full: user.target
+    - as: effective
+      at: user
+      beta: Reusing the user fields in this location is currently considered beta.
+      full: user.effective
+    - as: changes
+      at: user
+      beta: Reusing the user fields in this location is currently considered beta.
+      full: user.changes
     top_level: true
   reused_here:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.target
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.effective
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.changes
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
   short: Fields to describe the user relevant to the event.
   title: User
   type: group
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index e36eb3038f..bf81034aec 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -3053,10 +3053,130 @@
         },
         "user": {
           "properties": {
+            "changes": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "domain": {
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "effective": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "email": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -3108,6 +3228,66 @@
             "roles": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "target": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 2abf80257d..4b94205762 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -3052,10 +3052,130 @@
       },
       "user": {
         "properties": {
+          "changes": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "domain": {
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "effective": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "email": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3107,6 +3227,66 @@
           "roles": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "target": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
           }
         }
       },
diff --git a/schemas/user.yml b/schemas/user.yml
index f4f10750a7..0fe7a32411 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -18,6 +18,15 @@
       - host
       - server
       - source
+      - at: user
+        as: target
+        beta: Reusing the user fields in this location is currently considered beta.
+      - at: user
+        as: effective
+        beta: Reusing the user fields in this location is currently considered beta.
+      - at: user
+        as: changes
+        beta: Reusing the user fields in this location is currently considered beta.
 
       # TODO Temporarily commented out to simplify initial rewrite review
 

From 3a22a0802999b31a9474c96a3f1c25b66892585c Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 8 Dec 2020 16:24:37 -0600
Subject: [PATCH 55/90] [1.x] Handle `error.stack_trace` case for ES 6.x
 template (#1176) (#1177)

---
 CHANGELOG.next.md                 | 2 +-
 scripts/generators/es_template.py | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2488a956e5..641bbd272d 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -51,7 +51,7 @@ Thanks, you're awesome :-) -->
 
 * Added a notice highlighting that the `tracing` fields are not nested under the
   namespace `tracing.` #1162
-* ES 6.x template data types will fallback to supported types. #1171
+* ES 6.x template data types will fallback to supported types. #1171, #1176
 
 #### Deprecated
 
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index bb56356a5a..65dc871a2e 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -97,6 +97,13 @@ def generate_template_version(elasticsearch_version, mappings_section, out_dir,
     if elasticsearch_version == 6:
         es6_mappings_section = copy.deepcopy(mappings_section)
         es6_type_fallback(es6_mappings_section['properties'])
+
+        # error.stack_trace needs special handling to set
+        # index: false and doc_values: false
+        error_stack_trace_mappings = es6_mappings_section['properties']['error']['properties']['stack_trace']
+        error_stack_trace_mappings.setdefault('index', False)
+        error_stack_trace_mappings.setdefault('doc_values', False)
+
         template['mappings'] = {'_doc': es6_mappings_section}
     else:
         template['mappings'] = mappings_section

From ec42319058d444d13d0c1dd3cf1ed4cd70ff15eb Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 9 Dec 2020 15:46:23 -0500
Subject: [PATCH 56/90] [1.x] Add composable index templates artifacts (#1156)
 (#1179)

---
 CHANGELOG.next.md                             |   1 +
 Makefile                                      |   2 +-
 .../generated/elasticsearch/7/template.json   |   6 +-
 .../elasticsearch/component/agent.json        |  43 +++
 .../elasticsearch/component/base.json         |  26 ++
 .../elasticsearch/component/client.json       | 171 +++++++++
 .../elasticsearch/component/cloud.json        |  72 ++++
 .../elasticsearch/component/container.json    |  43 +++
 .../elasticsearch/component/destination.json  | 171 +++++++++
 .../elasticsearch/component/dll.json          |  96 +++++
 .../elasticsearch/component/dns.json          |  89 +++++
 .../elasticsearch/component/ecs.json          |  20 +
 .../elasticsearch/component/error.json        |  40 ++
 .../elasticsearch/component/event.json        | 109 ++++++
 .../elasticsearch/component/file.json         | 280 ++++++++++++++
 .../elasticsearch/component/group.json        |  28 ++
 .../elasticsearch/component/host.json         | 182 +++++++++
 .../elasticsearch/component/http.json         |  84 +++++
 .../elasticsearch/component/log.json          |  85 +++++
 .../elasticsearch/component/network.json      |  86 +++++
 .../elasticsearch/component/observer.json     | 201 ++++++++++
 .../elasticsearch/component/organization.json |  29 ++
 .../elasticsearch/component/package.json      |  66 ++++
 .../elasticsearch/component/process.json      | 332 ++++++++++++++++
 .../elasticsearch/component/registry.json     |  45 +++
 .../elasticsearch/component/related.json      |  31 ++
 .../elasticsearch/component/rule.json         |  56 +++
 .../elasticsearch/component/server.json       | 171 +++++++++
 .../elasticsearch/component/service.json      |  48 +++
 .../elasticsearch/component/source.json       | 171 +++++++++
 .../elasticsearch/component/threat.json       |  80 ++++
 .../elasticsearch/component/tls.json          | 346 +++++++++++++++++
 .../elasticsearch/component/tracing.json      |  36 ++
 .../elasticsearch/component/url.json          |  78 ++++
 .../elasticsearch/component/user.json         | 240 ++++++++++++
 .../elasticsearch/component/user_agent.json   |  83 ++++
 .../component/vulnerability.json              |  79 ++++
 .../generated/elasticsearch/template.json     |  71 ++++
 generated/README.md                           |  25 +-
 generated/elasticsearch/6/template.json       |   6 +-
 generated/elasticsearch/7/template.json       |   6 +-
 generated/elasticsearch/README.md             | 145 ++++++-
 generated/elasticsearch/component/agent.json  |  44 +++
 generated/elasticsearch/component/base.json   |  26 ++
 generated/elasticsearch/component/client.json | 178 +++++++++
 generated/elasticsearch/component/cloud.json  |  72 ++++
 .../elasticsearch/component/container.json    |  43 +++
 .../elasticsearch/component/destination.json  | 178 +++++++++
 generated/elasticsearch/component/dll.json    |  97 +++++
 generated/elasticsearch/component/dns.json    |  91 +++++
 generated/elasticsearch/component/ecs.json    |  20 +
 generated/elasticsearch/component/error.json  |  44 +++
 generated/elasticsearch/component/event.json  | 109 ++++++
 generated/elasticsearch/component/file.json   | 286 ++++++++++++++
 generated/elasticsearch/component/group.json  |  28 ++
 generated/elasticsearch/component/host.json   | 189 ++++++++++
 generated/elasticsearch/component/http.json   |  87 +++++
 generated/elasticsearch/component/log.json    |  87 +++++
 .../elasticsearch/component/network.json      |  86 +++++
 .../elasticsearch/component/observer.json     | 204 ++++++++++
 .../elasticsearch/component/organization.json |  30 ++
 .../elasticsearch/component/package.json      |  66 ++++
 .../elasticsearch/component/process.json      | 346 +++++++++++++++++
 .../elasticsearch/component/registry.json     |  48 +++
 .../elasticsearch/component/related.json      |  31 ++
 generated/elasticsearch/component/rule.json   |  56 +++
 generated/elasticsearch/component/server.json | 178 +++++++++
 .../elasticsearch/component/service.json      |  48 +++
 generated/elasticsearch/component/source.json | 178 +++++++++
 generated/elasticsearch/component/threat.json |  80 ++++
 generated/elasticsearch/component/tls.json    | 354 ++++++++++++++++++
 .../elasticsearch/component/tracing.json      |  36 ++
 generated/elasticsearch/component/url.json    |  83 ++++
 generated/elasticsearch/component/user.json   | 252 +++++++++++++
 .../elasticsearch/component/user_agent.json   |  86 +++++
 .../component/vulnerability.json              |  79 ++++
 generated/elasticsearch/template.json         |  71 ++++
 scripts/generator.py                          |   5 +-
 scripts/generators/es_template.py             | 160 ++++++--
 79 files changed, 7974 insertions(+), 61 deletions(-)
 create mode 100644 experimental/generated/elasticsearch/component/agent.json
 create mode 100644 experimental/generated/elasticsearch/component/base.json
 create mode 100644 experimental/generated/elasticsearch/component/client.json
 create mode 100644 experimental/generated/elasticsearch/component/cloud.json
 create mode 100644 experimental/generated/elasticsearch/component/container.json
 create mode 100644 experimental/generated/elasticsearch/component/destination.json
 create mode 100644 experimental/generated/elasticsearch/component/dll.json
 create mode 100644 experimental/generated/elasticsearch/component/dns.json
 create mode 100644 experimental/generated/elasticsearch/component/ecs.json
 create mode 100644 experimental/generated/elasticsearch/component/error.json
 create mode 100644 experimental/generated/elasticsearch/component/event.json
 create mode 100644 experimental/generated/elasticsearch/component/file.json
 create mode 100644 experimental/generated/elasticsearch/component/group.json
 create mode 100644 experimental/generated/elasticsearch/component/host.json
 create mode 100644 experimental/generated/elasticsearch/component/http.json
 create mode 100644 experimental/generated/elasticsearch/component/log.json
 create mode 100644 experimental/generated/elasticsearch/component/network.json
 create mode 100644 experimental/generated/elasticsearch/component/observer.json
 create mode 100644 experimental/generated/elasticsearch/component/organization.json
 create mode 100644 experimental/generated/elasticsearch/component/package.json
 create mode 100644 experimental/generated/elasticsearch/component/process.json
 create mode 100644 experimental/generated/elasticsearch/component/registry.json
 create mode 100644 experimental/generated/elasticsearch/component/related.json
 create mode 100644 experimental/generated/elasticsearch/component/rule.json
 create mode 100644 experimental/generated/elasticsearch/component/server.json
 create mode 100644 experimental/generated/elasticsearch/component/service.json
 create mode 100644 experimental/generated/elasticsearch/component/source.json
 create mode 100644 experimental/generated/elasticsearch/component/threat.json
 create mode 100644 experimental/generated/elasticsearch/component/tls.json
 create mode 100644 experimental/generated/elasticsearch/component/tracing.json
 create mode 100644 experimental/generated/elasticsearch/component/url.json
 create mode 100644 experimental/generated/elasticsearch/component/user.json
 create mode 100644 experimental/generated/elasticsearch/component/user_agent.json
 create mode 100644 experimental/generated/elasticsearch/component/vulnerability.json
 create mode 100644 experimental/generated/elasticsearch/template.json
 create mode 100644 generated/elasticsearch/component/agent.json
 create mode 100644 generated/elasticsearch/component/base.json
 create mode 100644 generated/elasticsearch/component/client.json
 create mode 100644 generated/elasticsearch/component/cloud.json
 create mode 100644 generated/elasticsearch/component/container.json
 create mode 100644 generated/elasticsearch/component/destination.json
 create mode 100644 generated/elasticsearch/component/dll.json
 create mode 100644 generated/elasticsearch/component/dns.json
 create mode 100644 generated/elasticsearch/component/ecs.json
 create mode 100644 generated/elasticsearch/component/error.json
 create mode 100644 generated/elasticsearch/component/event.json
 create mode 100644 generated/elasticsearch/component/file.json
 create mode 100644 generated/elasticsearch/component/group.json
 create mode 100644 generated/elasticsearch/component/host.json
 create mode 100644 generated/elasticsearch/component/http.json
 create mode 100644 generated/elasticsearch/component/log.json
 create mode 100644 generated/elasticsearch/component/network.json
 create mode 100644 generated/elasticsearch/component/observer.json
 create mode 100644 generated/elasticsearch/component/organization.json
 create mode 100644 generated/elasticsearch/component/package.json
 create mode 100644 generated/elasticsearch/component/process.json
 create mode 100644 generated/elasticsearch/component/registry.json
 create mode 100644 generated/elasticsearch/component/related.json
 create mode 100644 generated/elasticsearch/component/rule.json
 create mode 100644 generated/elasticsearch/component/server.json
 create mode 100644 generated/elasticsearch/component/service.json
 create mode 100644 generated/elasticsearch/component/source.json
 create mode 100644 generated/elasticsearch/component/threat.json
 create mode 100644 generated/elasticsearch/component/tls.json
 create mode 100644 generated/elasticsearch/component/tracing.json
 create mode 100644 generated/elasticsearch/component/url.json
 create mode 100644 generated/elasticsearch/component/user.json
 create mode 100644 generated/elasticsearch/component/user_agent.json
 create mode 100644 generated/elasticsearch/component/vulnerability.json
 create mode 100644 generated/elasticsearch/template.json

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 641bbd272d..ce5be6eab8 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -46,6 +46,7 @@ Thanks, you're awesome :-) -->
 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
 * Added support for `constant_keyword`'s optional parameter `value`. #1112
+* Added component templates for ECS field sets. #1156
 
 #### Improvements
 
diff --git a/Makefile b/Makefile
index 67ee219d8a..327f64b49f 100644
--- a/Makefile
+++ b/Makefile
@@ -34,7 +34,7 @@ check-license-headers:
 # Clean deletes all temporary and generated content.
 .PHONY: clean
 clean:
-	rm -rf build
+	rm -rf build generated/elasticsearch/component experimental/generated/elasticsearch/component
 	# Clean all markdown files for use-cases
 	find ./use-cases -type f -name '*.md' -not -name 'README.md' -print0 | xargs -0 rm --
 
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 1ae21ee498..dfa18031da 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1,11 +1,11 @@
 {
+  "_meta": {
+    "version": "1.8.0-dev+exp"
+  },
   "index_patterns": [
     "try-ecs-*"
   ],
   "mappings": {
-    "_meta": {
-      "version": "1.8.0-dev+exp"
-    },
     "date_detection": false,
     "dynamic_templates": [
       {
diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json
new file mode 100644
index 0000000000..fb5c48723d
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/agent.json
@@ -0,0 +1,43 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "agent": {
+          "properties": {
+            "build": {
+              "properties": {
+                "original": {
+                  "type": "wildcard"
+                }
+              }
+            },
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json
new file mode 100644
index 0000000000..f99eeef699
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/base.json
@@ -0,0 +1,26 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "labels": {
+          "type": "object"
+        },
+        "message": {
+          "norms": false,
+          "type": "text"
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json
new file mode 100644
index 0000000000..15ddc75390
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/client.json
@@ -0,0 +1,171 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "client": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "type": "wildcard"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "type": "wildcard"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json
new file mode 100644
index 0000000000..ff7311dafe
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/cloud.json
@@ -0,0 +1,72 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "cloud": {
+          "properties": {
+            "account": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "availability_zone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "instance": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "machine": {
+              "properties": {
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "project": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json
new file mode 100644
index 0000000000..8141acb5b2
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/container.json
@@ -0,0 +1,43 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "container": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "image": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tag": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "labels": {
+              "type": "object"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "runtime": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json
new file mode 100644
index 0000000000..3b26ce3896
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/destination.json
@@ -0,0 +1,171 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "destination": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "type": "wildcard"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "type": "wildcard"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
new file mode 100644
index 0000000000..da68f2d771
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -0,0 +1,96 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "type": "wildcard"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json
new file mode 100644
index 0000000000..5060df8227
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/dns.json
@@ -0,0 +1,89 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "dns": {
+          "properties": {
+            "answers": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "data": {
+                  "type": "wildcard"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ttl": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "header_flags": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "op_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "question": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "registered_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subdomain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "top_level_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "resolved_ip": {
+              "type": "ip"
+            },
+            "response_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json
new file mode 100644
index 0000000000..244cf87db4
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/ecs.json
@@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "ecs": {
+          "properties": {
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json
new file mode 100644
index 0000000000..4423a3a84c
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/error.json
@@ -0,0 +1,40 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "error": {
+          "properties": {
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "message": {
+              "norms": false,
+              "type": "text"
+            },
+            "stack_trace": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "type": {
+              "type": "wildcard"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json
new file mode 100644
index 0000000000..42a982b4bf
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/event.json
@@ -0,0 +1,109 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "event": {
+          "properties": {
+            "action": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "created": {
+              "type": "date"
+            },
+            "dataset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "duration": {
+              "type": "long"
+            },
+            "end": {
+              "type": "date"
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingested": {
+              "type": "date"
+            },
+            "kind": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "module": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "outcome": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reason": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "risk_score": {
+              "type": "float"
+            },
+            "risk_score_norm": {
+              "type": "float"
+            },
+            "sequence": {
+              "type": "long"
+            },
+            "severity": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "timezone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "url": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
new file mode 100644
index 0000000000..5c1b4b6057
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -0,0 +1,280 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "file": {
+          "properties": {
+            "accessed": {
+              "type": "date"
+            },
+            "attributes": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "created": {
+              "type": "date"
+            },
+            "ctime": {
+              "type": "date"
+            },
+            "device": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "directory": {
+              "type": "wildcard"
+            },
+            "drive_letter": {
+              "ignore_above": 1,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "gid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "inode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mime_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mtime": {
+              "type": "date"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "owner": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "type": "wildcard"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "size": {
+              "type": "long"
+            },
+            "target_path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "x509": {
+              "properties": {
+                "alternative_names": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "issuer": {
+                  "properties": {
+                    "common_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "distinguished_name": {
+                      "type": "wildcard"
+                    },
+                    "locality": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organization": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organizational_unit": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "state_or_province": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "public_key_algorithm": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "public_key_curve": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "public_key_exponent": {
+                  "doc_values": false,
+                  "index": false,
+                  "type": "long"
+                },
+                "public_key_size": {
+                  "type": "long"
+                },
+                "serial_number": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "signature_algorithm": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject": {
+                  "properties": {
+                    "common_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "distinguished_name": {
+                      "type": "wildcard"
+                    },
+                    "locality": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organization": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organizational_unit": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "state_or_province": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "version_number": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json
new file mode 100644
index 0000000000..f310f5c103
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/group.json
@@ -0,0 +1,28 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "group": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json
new file mode 100644
index 0000000000..19c9898702
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/host.json
@@ -0,0 +1,182 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "type": "wildcard"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json
new file mode 100644
index 0000000000..5de0e679a7
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/http.json
@@ -0,0 +1,84 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "http": {
+          "properties": {
+            "request": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "method": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "referrer": {
+                  "type": "wildcard"
+                }
+              }
+            },
+            "response": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "status_code": {
+                  "type": "long"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json
new file mode 100644
index 0000000000..81228a61ff
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/log.json
@@ -0,0 +1,85 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "log": {
+          "properties": {
+            "file": {
+              "properties": {
+                "path": {
+                  "type": "wildcard"
+                }
+              }
+            },
+            "level": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "logger": {
+              "type": "wildcard"
+            },
+            "origin": {
+              "properties": {
+                "file": {
+                  "properties": {
+                    "line": {
+                      "type": "integer"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "function": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "syslog": {
+              "properties": {
+                "facility": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "priority": {
+                  "type": "long"
+                },
+                "severity": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              },
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json
new file mode 100644
index 0000000000..c2730e72d0
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/network.json
@@ -0,0 +1,86 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "network": {
+          "properties": {
+            "application": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "community_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "direction": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "forwarded_ip": {
+              "type": "ip"
+            },
+            "iana_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              },
+              "type": "object"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "packets": {
+              "type": "long"
+            },
+            "protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "transport": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json
new file mode 100644
index 0000000000..ad34d29bbe
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/observer.json
@@ -0,0 +1,201 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "observer": {
+          "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "product": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vendor": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json
new file mode 100644
index 0000000000..6af7d5ac6f
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/organization.json
@@ -0,0 +1,29 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "organization": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json
new file mode 100644
index 0000000000..af4633e8a4
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/package.json
@@ -0,0 +1,66 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "package": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "build_version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "checksum": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "install_scope": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "installed": {
+              "type": "date"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "size": {
+              "type": "long"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
new file mode 100644
index 0000000000..e082f76b26
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -0,0 +1,332 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "process": {
+          "properties": {
+            "args": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "args_count": {
+              "type": "long"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "command_line": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "entity_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "original_file_name": {
+                      "type": "wildcard"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "pgid": {
+                  "type": "long"
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "ppid": {
+                  "type": "long"
+                },
+                "start": {
+                  "type": "date"
+                },
+                "thread": {
+                  "properties": {
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "type": "wildcard"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "type": "wildcard"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pgid": {
+              "type": "long"
+            },
+            "pid": {
+              "type": "long"
+            },
+            "ppid": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "thread": {
+              "properties": {
+                "id": {
+                  "type": "long"
+                },
+                "name": {
+                  "type": "wildcard"
+                }
+              }
+            },
+            "title": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "working_directory": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json
new file mode 100644
index 0000000000..96ced2ea54
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/registry.json
@@ -0,0 +1,45 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "registry": {
+          "properties": {
+            "data": {
+              "properties": {
+                "bytes": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "strings": {
+                  "type": "wildcard"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hive": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "key": {
+              "type": "wildcard"
+            },
+            "path": {
+              "type": "wildcard"
+            },
+            "value": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json
new file mode 100644
index 0000000000..c1ab9d53bd
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/related.json
@@ -0,0 +1,31 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "related": {
+          "properties": {
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "hosts": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "user": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json
new file mode 100644
index 0000000000..b41de85270
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/rule.json
@@ -0,0 +1,56 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "rule": {
+          "properties": {
+            "author": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ruleset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uuid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json
new file mode 100644
index 0000000000..088a8834c9
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/server.json
@@ -0,0 +1,171 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "server": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "type": "wildcard"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "type": "wildcard"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json
new file mode 100644
index 0000000000..406a1b6035
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/service.json
@@ -0,0 +1,48 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "service": {
+          "properties": {
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "node": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "state": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json
new file mode 100644
index 0000000000..34b49ff5ac
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/source.json
@@ -0,0 +1,171 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "source": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "type": "wildcard"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "type": "wildcard"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "type": "wildcard"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json
new file mode 100644
index 0000000000..fc11a704d4
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/threat.json
@@ -0,0 +1,80 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "threat": {
+          "properties": {
+            "framework": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "tactic": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "technique": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subtechnique": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json
new file mode 100644
index 0000000000..b408cc9ef1
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/tls.json
@@ -0,0 +1,346 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "tls": {
+          "properties": {
+            "cipher": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "client": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "type": "wildcard"
+                },
+                "ja3": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "server_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject": {
+                  "type": "wildcard"
+                },
+                "supported_ciphers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "x509": {
+                  "properties": {
+                    "alternative_names": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "issuer": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "type": "wildcard"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "not_after": {
+                      "type": "date"
+                    },
+                    "not_before": {
+                      "type": "date"
+                    },
+                    "public_key_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_curve": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_exponent": {
+                      "doc_values": false,
+                      "index": false,
+                      "type": "long"
+                    },
+                    "public_key_size": {
+                      "type": "long"
+                    },
+                    "serial_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signature_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "type": "wildcard"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "version_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "curve": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "established": {
+              "type": "boolean"
+            },
+            "next_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "resumed": {
+              "type": "boolean"
+            },
+            "server": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "type": "wildcard"
+                },
+                "ja3s": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "subject": {
+                  "type": "wildcard"
+                },
+                "x509": {
+                  "properties": {
+                    "alternative_names": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "issuer": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "type": "wildcard"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "not_after": {
+                      "type": "date"
+                    },
+                    "not_before": {
+                      "type": "date"
+                    },
+                    "public_key_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_curve": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_exponent": {
+                      "doc_values": false,
+                      "index": false,
+                      "type": "long"
+                    },
+                    "public_key_size": {
+                      "type": "long"
+                    },
+                    "serial_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signature_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "type": "wildcard"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "version_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json
new file mode 100644
index 0000000000..93d265526a
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/tracing.json
@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "span": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "trace": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "transaction": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json
new file mode 100644
index 0000000000..7c9d8e0f5b
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/url.json
@@ -0,0 +1,78 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "url": {
+          "properties": {
+            "domain": {
+              "type": "wildcard"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "fragment": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "password": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "type": "wildcard"
+            },
+            "port": {
+              "type": "long"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "registered_domain": {
+              "type": "wildcard"
+            },
+            "scheme": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "username": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json
new file mode 100644
index 0000000000..b06e2205dd
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/user.json
@@ -0,0 +1,240 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "user": {
+          "properties": {
+            "changes": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "effective": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "email": {
+              "type": "wildcard"
+            },
+            "full_name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "roles": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "target": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "type": "wildcard"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json
new file mode 100644
index 0000000000..90d6220b01
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/user_agent.json
@@ -0,0 +1,83 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "user_agent": {
+          "properties": {
+            "device": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json
new file mode 100644
index 0000000000..9b1b6c0289
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/vulnerability.json
@@ -0,0 +1,79 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "vulnerability": {
+          "properties": {
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "classification": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "enumeration": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "report_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scanner": {
+              "properties": {
+                "vendor": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "score": {
+              "properties": {
+                "base": {
+                  "type": "float"
+                },
+                "environmental": {
+                  "type": "float"
+                },
+                "temporal": {
+                  "type": "float"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "severity": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json
new file mode 100644
index 0000000000..44ea72094d
--- /dev/null
+++ b/experimental/generated/elasticsearch/template.json
@@ -0,0 +1,71 @@
+{
+  "_meta": {
+    "description": "Sample composable template that includes all ECS fields",
+    "ecs_version": "1.8.0-dev+exp"
+  },
+  "composed_of": [
+    "ecs_1.8.0-dev-exp_agent",
+    "ecs_1.8.0-dev-exp_base",
+    "ecs_1.8.0-dev-exp_client",
+    "ecs_1.8.0-dev-exp_cloud",
+    "ecs_1.8.0-dev-exp_container",
+    "ecs_1.8.0-dev-exp_destination",
+    "ecs_1.8.0-dev-exp_dll",
+    "ecs_1.8.0-dev-exp_dns",
+    "ecs_1.8.0-dev-exp_ecs",
+    "ecs_1.8.0-dev-exp_error",
+    "ecs_1.8.0-dev-exp_event",
+    "ecs_1.8.0-dev-exp_file",
+    "ecs_1.8.0-dev-exp_group",
+    "ecs_1.8.0-dev-exp_host",
+    "ecs_1.8.0-dev-exp_http",
+    "ecs_1.8.0-dev-exp_log",
+    "ecs_1.8.0-dev-exp_network",
+    "ecs_1.8.0-dev-exp_observer",
+    "ecs_1.8.0-dev-exp_organization",
+    "ecs_1.8.0-dev-exp_package",
+    "ecs_1.8.0-dev-exp_process",
+    "ecs_1.8.0-dev-exp_registry",
+    "ecs_1.8.0-dev-exp_related",
+    "ecs_1.8.0-dev-exp_rule",
+    "ecs_1.8.0-dev-exp_server",
+    "ecs_1.8.0-dev-exp_service",
+    "ecs_1.8.0-dev-exp_source",
+    "ecs_1.8.0-dev-exp_threat",
+    "ecs_1.8.0-dev-exp_tls",
+    "ecs_1.8.0-dev-exp_tracing",
+    "ecs_1.8.0-dev-exp_url",
+    "ecs_1.8.0-dev-exp_user",
+    "ecs_1.8.0-dev-exp_user_agent",
+    "ecs_1.8.0-dev-exp_vulnerability"
+  ],
+  "index_patterns": [
+    "try-ecs-*"
+  ],
+  "priority": 1,
+  "template": {
+    "mappings": {
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ]
+    },
+    "settings": {
+      "index": {
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/README.md b/generated/README.md
index 3972963bae..89b5f34a98 100644
--- a/generated/README.md
+++ b/generated/README.md
@@ -4,23 +4,26 @@ Various kinds of files or programs can be generated directly based on ECS.
 
 In this directory, you'll find the following:
 
-* `beats/fields.ecs.yml`: The YAML field definition file used by Beats to import ECS in it's broader
-  field schema.
+* [beats/fields.ecs.yml](beats/fields.ecs.yml): The YAML field definition file
+  used by **Beats to import ECS** in it's broader field schema. This might also
+  be useful to community Beats maintainers.
 
-* `csv/fields.csv`: A csv file you can use to import ECS field definitions
-in a spreadsheet.
+* [csv/fields.csv](csv/fields.csv): A csv file you can use to import ECS field
+  definitions in a **spreadsheet**. GitHub's csv rendering lets you filter
+  the fields, too.
 
-* `ecs/*.yml`: These are the files you should use, if you need to consume ECS
-  programmatically. This repo's artifact generators all operate based off of one
-  of these two representations (documentation, csv, Elasticsearch
-  template, etc).
+* [ecs/\*.yml](ecs/): These are the files to use when you need to **consume ECS
+  programmatically**. The code generating the other ECS artifacts all operate on one
+  of these two representations (documentation, csv, Elasticsearch template, etc).
   The two files are the fully fleshed out representation of ECS:
   default values are filled in, all fields being reused elsewhere are made explicit,
   additional attributes are computed.
 
-* `elasticsearch/{6,7}/template.json`: Sample Elasticsearch templates to get
-  started using ECS. Check out how to use them in
-  [generated/elasticsearch/README.md](elasticsearch).
+* [elasticsearch/](elasticsearch#readme): Reference Elasticsearch **component templates**
+  and a sample legacy all-in-one template to get started using ECS.
+  Check out how to use them in [elasticsearch/README.md](elasticsearch#readme).
+  Note that you can customize the content of these templates by following the
+  instructions in [USAGE.md](/USAGE.md)
 
 If you'd like to share your own generator with the ECS community, you're welcome
 to look at our [contribution guidelines](/CONTRIBUTING.md), and then at the
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index bf81034aec..fa8b315edc 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1,12 +1,12 @@
 {
+  "_meta": {
+    "version": "1.8.0-dev"
+  },
   "index_patterns": [
     "try-ecs-*"
   ],
   "mappings": {
     "_doc": {
-      "_meta": {
-        "version": "1.8.0-dev"
-      },
       "date_detection": false,
       "dynamic_templates": [
         {
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 4b94205762..2de32c5500 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1,11 +1,11 @@
 {
+  "_meta": {
+    "version": "1.8.0-dev"
+  },
   "index_patterns": [
     "try-ecs-*"
   ],
   "mappings": {
-    "_meta": {
-      "version": "1.8.0-dev"
-    },
     "date_detection": false,
     "dynamic_templates": [
       {
diff --git a/generated/elasticsearch/README.md b/generated/elasticsearch/README.md
index 40579d141c..4ad26d45dd 100644
--- a/generated/elasticsearch/README.md
+++ b/generated/elasticsearch/README.md
@@ -6,9 +6,16 @@ point for experimentation.
 When you're ready to customize this template to the precise needs of your use case,
 please check out [USAGE.md](../../USAGE.md).
 
-## Notes on index naming
+The component index templates described below should be considered reference templates for ECS.
 
-This sample Elasticsearch template will apply to any index named `try-ecs-*`.
+The composable template that brings them together, and the legacy all-in-one index
+template should be considered sample templates. Both of them include all ECS fields,
+which is great for experimentation, but is not actually recommended. The best practice
+is to craft your index templates to contain only the field you needs.
+
+## Index naming
+
+These sample Elasticsearch templates will apply to any index named `try-ecs-*`.
 This is good for experimentation.
 
 Note that an index following ECS can be named however you need. There's no requirement
@@ -16,27 +23,155 @@ to have "ecs" in the index name.
 
 ## Instructions
 
+Elasticsearch 7.8 introduced
+[composable index templates](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html)
+as the new default way to craft index templates.
+
+The following instructions let you use either approach.
+
+### Composable and component index templates
+
+**Warning**: The artifacts based on composable templates are newly introduced in the ECS repository.
+Please try them out and give us feedback if you encounter any issues.
+
+If you want to play with a specific version of ECS, check out the proper branch first.
+Note that the composable index templates are available in the ECS 1.7 branch or newer.
+
+```
+git checkout 1.7
+```
+
+First load all component templates in Elasticsearch. The following script creates
+one reusable component template per ECS field set (one for "event" fields, one for "base" fields, etc.)
+
+They will be named according to the following naming convention: `_component_template/ecs_{ecs version}_{field set name}`.
+
+Authenticate your API calls appropriately by adjusting the username:password in this variable.
+
+```bash
+auth="elastic:elastic"
+```
+
+```bash
+version="$(cat version)"
+for file in `ls generated/elasticsearch/component/*.json`
+do
+  fieldset=`echo $file | cut -d/ -f4 | cut -d. -f1`
+  component_name="ecs_${version}_${fieldset}"
+  api="_component_template/${component_name}"
+
+  # echo "$file => $api"
+  curl --user "$auth" -XPUT "localhost:9200/$api" --header "Content-Type: application/json" -d @"$file"
+done
+```
+
+A component template for each ECS field set is now loaded. You could stop here and
+craft a composable template with the settings you need, which loads only the ECS
+fields your index needs via `composed_of`. You can look at [template.json](template.json) for an example.
+
+If you'd like, you can load a sample composable template that contains all ECS fields,
+for experimentation:
+
+```bash
+api="_index_template/try-ecs"
+file="generated/elasticsearch/template.json"
+curl --user "$auth" -XPUT "localhost:9200/$api" --header "Content-Type: application/json" -d @"$file"
+```
+
+#### Play from Kibana Dev Tools
+
+```
+# Look at the ECS component templates 👀
+GET _component_template/ecs_*
+# And if you created the sample index template
+GET _index_template/try-ecs
+
+# index a document
+PUT try-ecs-test
+GET try-ecs-test
+POST try-ecs-test/_doc
+{ "@timestamp": "2020-10-26T22:38:39.000Z", "message": "Hello ECS World", "host": { "ip": "10.42.42.42"} }
+
+# enjoy
+GET try-ecs-test/_search
+{ "query": { "term": { "host.ip": "10.0.0.0/8" } } }
+```
+
+#### How to compose templates
+
+Most event sources should include the ECS basics:
+
+- base
+- ecs
+- event
+- log
+
+Most event sources should also include fields that capture "where it's happening",
+but depending on whether you use containers or the cloud, you may want to omit some in this list:
+
+- host (actually don't omit this one)
+- container
+- cloud
+
+Depending on whether the index contains events captured by an agent or an observer, include one or both of:
+
+- agent
+- observer
+
+Most of the other field sets will depend on which kind of documents will be in your index.
+
+If the documents refer to network-related events, you'll likely want to pick among:
+
+- client & server
+- source & destination
+- network
+- dns, http, tls
+
+If users are involved in the events:
+
+- user
+- group
+
+And so on.
+
+For a concrete example, an index containing your web server logs, should contain at least:
+
+- base, ecs, event, log
+- host, cloud and/or container as needed
+- agent
+- source, destination, client, server, network, http, tls
+- user
+- url, user\_agent
+
+### Legacy index templates
+
 If you want to play with a specific version of ECS, check out the proper branch first.
 
 ```
 git checkout 1.6
 ```
 
+Authenticate your API calls appropriately by adjusting the username:password in this variable.
+
+```bash
+auth="elastic:elastic"
+```
+
 Load the template in Elasticsearch from your shell.
 
 ```bash
 # Elasticsearch 7
-curl -XPOST 'localhost:9200/_template/try-ecs' \
+curl --user $"$auth" -XPOST 'localhost:9200/_template/try-ecs' \
   --header "Content-Type: application/json" \
   -d @'generated/elasticsearch/7/template.json'
 
 # or Elasticsearch 6
-curl -XPOST 'localhost:9200/_template/try-ecs' \
+curl --user $"$auth" -XPOST 'localhost:9200/_template/try-ecs' \
   --header "Content-Type: application/json" \
   -d @'generated/elasticsearch/6/template.json'
 ```
 
-Play from Kibana Dev Tools
+#### Play from Kibana Dev Tools
 
 ```
 # Look at the template you just uploaded 👀
diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json
new file mode 100644
index 0000000000..c130016bbd
--- /dev/null
+++ b/generated/elasticsearch/component/agent.json
@@ -0,0 +1,44 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "agent": {
+          "properties": {
+            "build": {
+              "properties": {
+                "original": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json
new file mode 100644
index 0000000000..5f5c1db363
--- /dev/null
+++ b/generated/elasticsearch/component/base.json
@@ -0,0 +1,26 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "labels": {
+          "type": "object"
+        },
+        "message": {
+          "norms": false,
+          "type": "text"
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
new file mode 100644
index 0000000000..5dde7cdb39
--- /dev/null
+++ b/generated/elasticsearch/component/client.json
@@ -0,0 +1,178 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "client": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json
new file mode 100644
index 0000000000..4f232454c4
--- /dev/null
+++ b/generated/elasticsearch/component/cloud.json
@@ -0,0 +1,72 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "cloud": {
+          "properties": {
+            "account": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "availability_zone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "instance": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "machine": {
+              "properties": {
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "project": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "region": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json
new file mode 100644
index 0000000000..38eca1d7f2
--- /dev/null
+++ b/generated/elasticsearch/component/container.json
@@ -0,0 +1,43 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "container": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "image": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tag": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "labels": {
+              "type": "object"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "runtime": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
new file mode 100644
index 0000000000..1a24a18e99
--- /dev/null
+++ b/generated/elasticsearch/component/destination.json
@@ -0,0 +1,178 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "destination": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
new file mode 100644
index 0000000000..e630a76c71
--- /dev/null
+++ b/generated/elasticsearch/component/dll.json
@@ -0,0 +1,97 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "dll": {
+          "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json
new file mode 100644
index 0000000000..42d21fc551
--- /dev/null
+++ b/generated/elasticsearch/component/dns.json
@@ -0,0 +1,91 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "dns": {
+          "properties": {
+            "answers": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "data": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ttl": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "header_flags": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "op_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "question": {
+              "properties": {
+                "class": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "registered_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subdomain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "top_level_domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "resolved_ip": {
+              "type": "ip"
+            },
+            "response_code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json
new file mode 100644
index 0000000000..f0236e672f
--- /dev/null
+++ b/generated/elasticsearch/component/ecs.json
@@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "ecs": {
+          "properties": {
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json
new file mode 100644
index 0000000000..d22a07231f
--- /dev/null
+++ b/generated/elasticsearch/component/error.json
@@ -0,0 +1,44 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "error": {
+          "properties": {
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "message": {
+              "norms": false,
+              "type": "text"
+            },
+            "stack_trace": {
+              "doc_values": false,
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json
new file mode 100644
index 0000000000..85c990900f
--- /dev/null
+++ b/generated/elasticsearch/component/event.json
@@ -0,0 +1,109 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "event": {
+          "properties": {
+            "action": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "created": {
+              "type": "date"
+            },
+            "dataset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "duration": {
+              "type": "long"
+            },
+            "end": {
+              "type": "date"
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingested": {
+              "type": "date"
+            },
+            "kind": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "module": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "outcome": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "provider": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reason": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "risk_score": {
+              "type": "float"
+            },
+            "risk_score_norm": {
+              "type": "float"
+            },
+            "sequence": {
+              "type": "long"
+            },
+            "severity": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "timezone": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "url": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
new file mode 100644
index 0000000000..cf1324a4f2
--- /dev/null
+++ b/generated/elasticsearch/component/file.json
@@ -0,0 +1,286 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "file": {
+          "properties": {
+            "accessed": {
+              "type": "date"
+            },
+            "attributes": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "created": {
+              "type": "date"
+            },
+            "ctime": {
+              "type": "date"
+            },
+            "device": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "directory": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "drive_letter": {
+              "ignore_above": 1,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "gid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "inode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mime_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mode": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "mtime": {
+              "type": "date"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "owner": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "size": {
+              "type": "long"
+            },
+            "target_path": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "x509": {
+              "properties": {
+                "alternative_names": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "issuer": {
+                  "properties": {
+                    "common_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "distinguished_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "locality": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organization": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organizational_unit": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "state_or_province": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "public_key_algorithm": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "public_key_curve": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "public_key_exponent": {
+                  "doc_values": false,
+                  "index": false,
+                  "type": "long"
+                },
+                "public_key_size": {
+                  "type": "long"
+                },
+                "serial_number": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "signature_algorithm": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject": {
+                  "properties": {
+                    "common_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "distinguished_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "locality": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organization": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "organizational_unit": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "state_or_province": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "version_number": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json
new file mode 100644
index 0000000000..381724c510
--- /dev/null
+++ b/generated/elasticsearch/component/group.json
@@ -0,0 +1,28 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "group": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
new file mode 100644
index 0000000000..3dbbb8e51a
--- /dev/null
+++ b/generated/elasticsearch/component/host.json
@@ -0,0 +1,189 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
new file mode 100644
index 0000000000..26b934b372
--- /dev/null
+++ b/generated/elasticsearch/component/http.json
@@ -0,0 +1,87 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "http": {
+          "properties": {
+            "request": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "method": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "referrer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "response": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "status_code": {
+                  "type": "long"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json
new file mode 100644
index 0000000000..b73467cc7b
--- /dev/null
+++ b/generated/elasticsearch/component/log.json
@@ -0,0 +1,87 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "log": {
+          "properties": {
+            "file": {
+              "properties": {
+                "path": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "level": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "logger": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "origin": {
+              "properties": {
+                "file": {
+                  "properties": {
+                    "line": {
+                      "type": "integer"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "function": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "original": {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "syslog": {
+              "properties": {
+                "facility": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "priority": {
+                  "type": "long"
+                },
+                "severity": {
+                  "properties": {
+                    "code": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              },
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json
new file mode 100644
index 0000000000..7310610229
--- /dev/null
+++ b/generated/elasticsearch/component/network.json
@@ -0,0 +1,86 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "network": {
+          "properties": {
+            "application": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "community_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "direction": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "forwarded_ip": {
+              "type": "ip"
+            },
+            "iana_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "inner": {
+              "properties": {
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              },
+              "type": "object"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "packets": {
+              "type": "long"
+            },
+            "protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "transport": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vlan": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
new file mode 100644
index 0000000000..a4678c7862
--- /dev/null
+++ b/generated/elasticsearch/component/observer.json
@@ -0,0 +1,204 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "observer": {
+          "properties": {
+            "egress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ingress": {
+              "properties": {
+                "interface": {
+                  "properties": {
+                    "alias": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vlan": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "product": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "serial_number": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "vendor": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json
new file mode 100644
index 0000000000..8f912778be
--- /dev/null
+++ b/generated/elasticsearch/component/organization.json
@@ -0,0 +1,30 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "organization": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json
new file mode 100644
index 0000000000..c15e8d6c91
--- /dev/null
+++ b/generated/elasticsearch/component/package.json
@@ -0,0 +1,66 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "package": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "build_version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "checksum": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "install_scope": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "installed": {
+              "type": "date"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "size": {
+              "type": "long"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
new file mode 100644
index 0000000000..51f03ac672
--- /dev/null
+++ b/generated/elasticsearch/component/process.json
@@ -0,0 +1,346 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "process": {
+          "properties": {
+            "args": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "args_count": {
+              "type": "long"
+            },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "command_line": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "entity_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "hash": {
+              "properties": {
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "pgid": {
+                  "type": "long"
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "ppid": {
+                  "type": "long"
+                },
+                "start": {
+                  "type": "date"
+                },
+                "thread": {
+                  "properties": {
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pgid": {
+              "type": "long"
+            },
+            "pid": {
+              "type": "long"
+            },
+            "ppid": {
+              "type": "long"
+            },
+            "start": {
+              "type": "date"
+            },
+            "thread": {
+              "properties": {
+                "id": {
+                  "type": "long"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "title": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            },
+            "working_directory": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json
new file mode 100644
index 0000000000..f6dea3211e
--- /dev/null
+++ b/generated/elasticsearch/component/registry.json
@@ -0,0 +1,48 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "registry": {
+          "properties": {
+            "data": {
+              "properties": {
+                "bytes": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "strings": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hive": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "key": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "value": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json
new file mode 100644
index 0000000000..39b205f4c2
--- /dev/null
+++ b/generated/elasticsearch/component/related.json
@@ -0,0 +1,31 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "related": {
+          "properties": {
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "hosts": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "user": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json
new file mode 100644
index 0000000000..735200cd82
--- /dev/null
+++ b/generated/elasticsearch/component/rule.json
@@ -0,0 +1,56 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "rule": {
+          "properties": {
+            "author": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ruleset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uuid": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
new file mode 100644
index 0000000000..0d7e1a95ec
--- /dev/null
+++ b/generated/elasticsearch/component/server.json
@@ -0,0 +1,178 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "server": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json
new file mode 100644
index 0000000000..eb2e6517b3
--- /dev/null
+++ b/generated/elasticsearch/component/service.json
@@ -0,0 +1,48 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "service": {
+          "properties": {
+            "ephemeral_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "node": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "state": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
new file mode 100644
index 0000000000..ae6db3d20f
--- /dev/null
+++ b/generated/elasticsearch/component/source.json
@@ -0,0 +1,178 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "source": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "as": {
+              "properties": {
+                "number": {
+                  "type": "long"
+                },
+                "organization": {
+                  "properties": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "bytes": {
+              "type": "long"
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "nat": {
+              "properties": {
+                "ip": {
+                  "type": "ip"
+                },
+                "port": {
+                  "type": "long"
+                }
+              }
+            },
+            "packets": {
+              "type": "long"
+            },
+            "port": {
+              "type": "long"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json
new file mode 100644
index 0000000000..bf0ecc3778
--- /dev/null
+++ b/generated/elasticsearch/component/threat.json
@@ -0,0 +1,80 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "threat": {
+          "properties": {
+            "framework": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "tactic": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "technique": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subtechnique": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json
new file mode 100644
index 0000000000..8eec703977
--- /dev/null
+++ b/generated/elasticsearch/component/tls.json
@@ -0,0 +1,354 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "tls": {
+          "properties": {
+            "cipher": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "client": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ja3": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "server_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "supported_ciphers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "x509": {
+                  "properties": {
+                    "alternative_names": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "issuer": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "not_after": {
+                      "type": "date"
+                    },
+                    "not_before": {
+                      "type": "date"
+                    },
+                    "public_key_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_curve": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_exponent": {
+                      "doc_values": false,
+                      "index": false,
+                      "type": "long"
+                    },
+                    "public_key_size": {
+                      "type": "long"
+                    },
+                    "serial_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signature_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "version_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "curve": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "established": {
+              "type": "boolean"
+            },
+            "next_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "resumed": {
+              "type": "boolean"
+            },
+            "server": {
+              "properties": {
+                "certificate": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "certificate_chain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "issuer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ja3s": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "not_after": {
+                  "type": "date"
+                },
+                "not_before": {
+                  "type": "date"
+                },
+                "subject": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "x509": {
+                  "properties": {
+                    "alternative_names": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "issuer": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "not_after": {
+                      "type": "date"
+                    },
+                    "not_before": {
+                      "type": "date"
+                    },
+                    "public_key_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_curve": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "public_key_exponent": {
+                      "doc_values": false,
+                      "index": false,
+                      "type": "long"
+                    },
+                    "public_key_size": {
+                      "type": "long"
+                    },
+                    "serial_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signature_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject": {
+                      "properties": {
+                        "common_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "distinguished_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "locality": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organization": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "organizational_unit": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "state_or_province": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "version_number": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version_protocol": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json
new file mode 100644
index 0000000000..bce8899078
--- /dev/null
+++ b/generated/elasticsearch/component/tracing.json
@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "span": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "trace": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "transaction": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json
new file mode 100644
index 0000000000..89cd68c6bd
--- /dev/null
+++ b/generated/elasticsearch/component/url.json
@@ -0,0 +1,83 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "url": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "fragment": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "password": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "port": {
+              "type": "long"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scheme": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "username": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json
new file mode 100644
index 0000000000..b9c0ca72c3
--- /dev/null
+++ b/generated/elasticsearch/component/user.json
@@ -0,0 +1,252 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "user": {
+          "properties": {
+            "changes": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "effective": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "email": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full_name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "roles": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "target": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json
new file mode 100644
index 0000000000..1dfe0dc08e
--- /dev/null
+++ b/generated/elasticsearch/component/user_agent.json
@@ -0,0 +1,86 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "user_agent": {
+          "properties": {
+            "device": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json
new file mode 100644
index 0000000000..cd04fb1f4e
--- /dev/null
+++ b/generated/elasticsearch/component/vulnerability.json
@@ -0,0 +1,79 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
+    "ecs_version": "1.8.0-dev"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "vulnerability": {
+          "properties": {
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "classification": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "description": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "enumeration": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "report_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scanner": {
+              "properties": {
+                "vendor": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "score": {
+              "properties": {
+                "base": {
+                  "type": "float"
+                },
+                "environmental": {
+                  "type": "float"
+                },
+                "temporal": {
+                  "type": "float"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "severity": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json
new file mode 100644
index 0000000000..2405e0a28d
--- /dev/null
+++ b/generated/elasticsearch/template.json
@@ -0,0 +1,71 @@
+{
+  "_meta": {
+    "description": "Sample composable template that includes all ECS fields",
+    "ecs_version": "1.8.0-dev"
+  },
+  "composed_of": [
+    "ecs_1.8.0-dev_agent",
+    "ecs_1.8.0-dev_base",
+    "ecs_1.8.0-dev_client",
+    "ecs_1.8.0-dev_cloud",
+    "ecs_1.8.0-dev_container",
+    "ecs_1.8.0-dev_destination",
+    "ecs_1.8.0-dev_dll",
+    "ecs_1.8.0-dev_dns",
+    "ecs_1.8.0-dev_ecs",
+    "ecs_1.8.0-dev_error",
+    "ecs_1.8.0-dev_event",
+    "ecs_1.8.0-dev_file",
+    "ecs_1.8.0-dev_group",
+    "ecs_1.8.0-dev_host",
+    "ecs_1.8.0-dev_http",
+    "ecs_1.8.0-dev_log",
+    "ecs_1.8.0-dev_network",
+    "ecs_1.8.0-dev_observer",
+    "ecs_1.8.0-dev_organization",
+    "ecs_1.8.0-dev_package",
+    "ecs_1.8.0-dev_process",
+    "ecs_1.8.0-dev_registry",
+    "ecs_1.8.0-dev_related",
+    "ecs_1.8.0-dev_rule",
+    "ecs_1.8.0-dev_server",
+    "ecs_1.8.0-dev_service",
+    "ecs_1.8.0-dev_source",
+    "ecs_1.8.0-dev_threat",
+    "ecs_1.8.0-dev_tls",
+    "ecs_1.8.0-dev_tracing",
+    "ecs_1.8.0-dev_url",
+    "ecs_1.8.0-dev_user",
+    "ecs_1.8.0-dev_user_agent",
+    "ecs_1.8.0-dev_vulnerability"
+  ],
+  "index_patterns": [
+    "try-ecs-*"
+  ],
+  "priority": 1,
+  "template": {
+    "mappings": {
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ]
+    },
+    "settings": {
+      "index": {
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/scripts/generator.py b/scripts/generator.py
index 40d63e94cb..5a1dc24724 100644
--- a/scripts/generator.py
+++ b/scripts/generator.py
@@ -42,7 +42,7 @@ def main():
     # ecs_helpers.yaml_dump('ecs.yml', fields)
 
     # Detect usage of experimental changes to tweak artifact version label
-    if loader.EXPERIMENTAL_SCHEMA_DIR in args.include:
+    if args.include and loader.EXPERIMENTAL_SCHEMA_DIR in args.include:
         ecs_version += "+exp"
 
     fields = loader.load_schemas(ref=args.ref, included_files=args.include)
@@ -57,7 +57,8 @@ def main():
         exit()
 
     csv_generator.generate(flat, ecs_version, out_dir)
-    es_template.generate(flat, ecs_version, out_dir, args.template_settings, args.mapping_settings)
+    es_template.generate(nested, ecs_version, out_dir, args.mapping_settings)
+    es_template.generate_legacy(flat, ecs_version, out_dir, args.template_settings, args.mapping_settings)
     beats.generate(nested, ecs_version, out_dir)
     if args.include or args.subset:
         exit()
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 65dc871a2e..2b7f6e6f58 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -1,44 +1,136 @@
+import copy
 import json
 import sys
-import copy
 
 from os.path import join
+
 from generators import ecs_helpers
 from schema.cleaner import field_or_multi_field_datatype_defaults
 from schema.oss import TYPE_FALLBACKS
 
 
-def generate(ecs_flat, ecs_version, out_dir, template_settings_file, mapping_settings_file):
+# Composable Template
+
+def generate(ecs_nested, ecs_version, out_dir, mapping_settings_file):
+    """This generates all artifacts for the composable template approach"""
+    all_component_templates(ecs_nested, ecs_version, out_dir)
+    component_names = component_name_convention(ecs_version, ecs_nested)
+    save_composable_template(ecs_version, component_names, out_dir, mapping_settings_file)
+
+
+def save_composable_template(ecs_version, component_names, out_dir, mapping_settings_file):
+    """Generate the master sample composable template"""
+    template = {
+        "index_patterns": ["try-ecs-*"],
+        "composed_of": component_names,
+        "priority": 1,  # Very low, as this is a sample template
+        "_meta": {
+            "ecs_version": ecs_version,
+            "description": "Sample composable template that includes all ECS fields"
+        },
+        "template": {
+            "settings": {
+                "index": {
+                    "mapping": {
+                        "total_fields": {
+                            "limit": 2000
+                        }
+                    }
+                }
+            },
+            "mappings": mapping_settings(mapping_settings_file)
+        }
+    }
+    filename = join(out_dir, "elasticsearch/template.json")
+    save_json(filename, template)
+
+
+def all_component_templates(ecs_nested, ecs_version, out_dir):
+    """Generate one component template per field set"""
+    component_dir = join(out_dir, 'elasticsearch/component')
+    ecs_helpers.make_dirs(component_dir)
+
+    for (fieldset_name, fieldset) in candidate_components(ecs_nested).items():
+        field_mappings = {}
+        for (flat_name, field) in fieldset['fields'].items():
+            name_parts = flat_name.split('.')
+            dict_add_nested(field_mappings, name_parts, entry_for(field))
+
+        save_component_template(fieldset_name, ecs_version, component_dir, field_mappings)
+
+
+def save_component_template(template_name, ecs_version, out_dir, field_mappings):
+    filename = join(out_dir, template_name) + ".json"
+    reference_url = "https://www.elastic.co/guide/en/ecs/current/ecs-{}.html".format(template_name)
+
+    template = {
+        'template': {'mappings': {'properties': field_mappings}},
+        '_meta': {
+            'ecs_version': ecs_version,
+            'documentation': reference_url
+        }
+    }
+    save_json(filename, template)
+
+
+def component_name_convention(ecs_version, ecs_nested):
+    version = ecs_version.replace('+', '-')
+    names = []
+    for (fieldset_name, fieldset) in candidate_components(ecs_nested).items():
+        names.append("ecs_{}_{}".format(version, fieldset_name))
+    return names
+
+
+def candidate_components(ecs_nested):
+    """Returns same structure as ecs_nested, but skips all field sets with reusable.top_level: False"""
+    components = {}
+    for (fieldset_name, fieldset) in ecs_nested.items():
+        if fieldset.get('reusable', None):
+            if not fieldset['reusable']['top_level']:
+                continue
+        components[fieldset_name] = fieldset
+    return components
+
+
+# Legacy template
+
+
+def generate_legacy(ecs_flat, ecs_version, out_dir, template_settings_file, mapping_settings_file):
+    """Generate the legacy index template"""
     field_mappings = {}
     for flat_name in sorted(ecs_flat):
         field = ecs_flat[flat_name]
-        nestings = flat_name.split('.')
-        dict_add_nested(field_mappings, nestings, entry_for(field))
-
-    if mapping_settings_file:
-        with open(mapping_settings_file) as f:
-            mappings_section = json.load(f)
-    else:
-        mappings_section = default_mapping_settings(ecs_version)
+        name_parts = flat_name.split('.')
+        dict_add_nested(field_mappings, name_parts, entry_for(field))
 
+    mappings_section = mapping_settings(mapping_settings_file)
     mappings_section['properties'] = field_mappings
 
-    generate_template_version(6, mappings_section, out_dir, template_settings_file)
-    generate_template_version(7, mappings_section, out_dir, template_settings_file)
+    generate_legacy_template_version(6, ecs_version, mappings_section, out_dir, template_settings_file)
+    generate_legacy_template_version(7, ecs_version, mappings_section, out_dir, template_settings_file)
+
+
+def generate_legacy_template_version(es_version, ecs_version, mappings_section, out_dir, template_settings_file):
+    ecs_helpers.make_dirs(join(out_dir, 'elasticsearch', str(es_version)))
+    template = template_settings(es_version, ecs_version, mappings_section, template_settings_file)
 
-# Field mappings
+    filename = join(out_dir, "elasticsearch/{}/template.json".format(es_version))
+    save_json(filename, template)
+
+
+# Common helpers
 
 
-def dict_add_nested(dct, nestings, value):
-    current_nesting = nestings[0]
-    rest_nestings = nestings[1:]
-    if len(rest_nestings) > 0:
+def dict_add_nested(dct, name_parts, value):
+    current_nesting = name_parts[0]
+    rest_name_parts = name_parts[1:]
+    if len(rest_name_parts) > 0:
         dct.setdefault(current_nesting, {})
         dct[current_nesting].setdefault('properties', {})
 
         dict_add_nested(
             dct[current_nesting]['properties'],
-            rest_nestings,
+            rest_name_parts,
             value)
 
     else:
@@ -84,17 +176,23 @@ def entry_for(field):
         raise ex
     return field_entry
 
-# Generated files
+
+def mapping_settings(mapping_settings_file):
+    if mapping_settings_file:
+        with open(mapping_settings_file) as f:
+            mappings = json.load(f)
+    else:
+        mappings = default_mapping_settings()
+    return mappings
 
 
-def generate_template_version(elasticsearch_version, mappings_section, out_dir, template_settings_file):
-    ecs_helpers.make_dirs(join(out_dir, 'elasticsearch', str(elasticsearch_version)))
+def template_settings(es_version, ecs_version, mappings_section, template_settings_file):
     if template_settings_file:
         with open(template_settings_file) as f:
             template = json.load(f)
     else:
-        template = default_template_settings()
-    if elasticsearch_version == 6:
+        template = default_template_settings(ecs_version)
+    if es_version == 6:
         es6_mappings_section = copy.deepcopy(mappings_section)
         es6_type_fallback(es6_mappings_section['properties'])
 
@@ -107,9 +205,7 @@ def generate_template_version(elasticsearch_version, mappings_section, out_dir,
         template['mappings'] = {'_doc': es6_mappings_section}
     else:
         template['mappings'] = mappings_section
-
-    filename = join(out_dir, "elasticsearch/{}/template.json".format(elasticsearch_version))
-    save_json(filename, template)
+    return template
 
 
 def save_json(file, data):
@@ -120,9 +216,10 @@ def save_json(file, data):
         jsonfile.write(json.dumps(data, indent=2, sort_keys=True))
 
 
-def default_template_settings():
+def default_template_settings(ecs_version):
     return {
         "index_patterns": ["try-ecs-*"],
+        "_meta": {"version": ecs_version},
         "order": 1,
         "settings": {
             "index": {
@@ -133,14 +230,12 @@ def default_template_settings():
                 },
                 "refresh_interval": "5s"
             }
-        },
-        "mappings": {}
+        }
     }
 
 
-def default_mapping_settings(ecs_version):
+def default_mapping_settings():
     return {
-        "_meta": {"version": ecs_version},
         "date_detection": False,
         "dynamic_templates": [
             {
@@ -152,8 +247,7 @@ def default_mapping_settings(ecs_version):
                     "match_mapping_type": "string"
                 }
             }
-        ],
-        "properties": {}
+        ]
     }
 
 

From 5995da93c85da24061f8e9a04573922c1da68077 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 10 Dec 2020 16:31:18 -0500
Subject: [PATCH 57/90] [1.x] Move _meta section back inside mappings, in
 legacy templates. (#1186) (#1187)

Backports the following commits to 1.x:

* Move _meta section back inside mappings, in legacy templates. (#1186)

This fixes an issue introduced by #1156, discovered in #1180. Composable templates support `_meta` at the template's root, but legacy templates don't. So we're just putting it back inside the mappings for legacy templates.

This also fixes missing updates to the component template, after the introduction of wildcard in #1098.
---
 CHANGELOG.next.md                                   |  4 ++--
 .../generated/elasticsearch/7/template.json         |  6 +++---
 generated/elasticsearch/6/template.json             |  6 +++---
 generated/elasticsearch/7/template.json             |  6 +++---
 scripts/generators/es_template.py                   | 13 +++++++++----
 5 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index ce5be6eab8..8ca8f9e915 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -46,13 +46,13 @@ Thanks, you're awesome :-) -->
 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
 * Added support for `constant_keyword`'s optional parameter `value`. #1112
-* Added component templates for ECS field sets. #1156
+* Added component templates for ECS field sets. #1156, #1186
 
 #### Improvements
 
 * Added a notice highlighting that the `tracing` fields are not nested under the
   namespace `tracing.` #1162
-* ES 6.x template data types will fallback to supported types. #1171, #1176
+* ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
 
 #### Deprecated
 
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index dfa18031da..1ae21ee498 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1,11 +1,11 @@
 {
-  "_meta": {
-    "version": "1.8.0-dev+exp"
-  },
   "index_patterns": [
     "try-ecs-*"
   ],
   "mappings": {
+    "_meta": {
+      "version": "1.8.0-dev+exp"
+    },
     "date_detection": false,
     "dynamic_templates": [
       {
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index fa8b315edc..bf81034aec 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1,12 +1,12 @@
 {
-  "_meta": {
-    "version": "1.8.0-dev"
-  },
   "index_patterns": [
     "try-ecs-*"
   ],
   "mappings": {
     "_doc": {
+      "_meta": {
+        "version": "1.8.0-dev"
+      },
       "date_detection": false,
       "dynamic_templates": [
         {
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 2de32c5500..4b94205762 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1,11 +1,11 @@
 {
-  "_meta": {
-    "version": "1.8.0-dev"
-  },
   "index_patterns": [
     "try-ecs-*"
   ],
   "mappings": {
+    "_meta": {
+      "version": "1.8.0-dev"
+    },
     "date_detection": false,
     "dynamic_templates": [
       {
diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index 2b7f6e6f58..fb45800dce 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -192,19 +192,24 @@ def template_settings(es_version, ecs_version, mappings_section, template_settin
             template = json.load(f)
     else:
         template = default_template_settings(ecs_version)
+
     if es_version == 6:
-        es6_mappings_section = copy.deepcopy(mappings_section)
-        es6_type_fallback(es6_mappings_section['properties'])
+        mappings_section = copy.deepcopy(mappings_section)
+        es6_type_fallback(mappings_section['properties'])
 
         # error.stack_trace needs special handling to set
         # index: false and doc_values: false
-        error_stack_trace_mappings = es6_mappings_section['properties']['error']['properties']['stack_trace']
+        error_stack_trace_mappings = mappings_section['properties']['error']['properties']['stack_trace']
         error_stack_trace_mappings.setdefault('index', False)
         error_stack_trace_mappings.setdefault('doc_values', False)
 
-        template['mappings'] = {'_doc': es6_mappings_section}
+        template['mappings'] = {'_doc': mappings_section}
     else:
         template['mappings'] = mappings_section
+
+    # _meta can't be at template root in legacy templates, so moving back to mappings section
+    mappings_section['_meta'] = template.pop('_meta')
+
     return template
 
 

From e288c02d337db748b9d02db9154e6edad79856b8 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 10 Dec 2020 16:03:07 -0600
Subject: [PATCH 58/90] [1.x] Apply the RFC 0005 stage 2 (host metrics) changes
 in the experimental artifacts (#1159) (#1184)

Co-authored-by: Mathieu Martin <mathieu.martin@elastic.co>
---
 experimental/generated/beats/fields.ecs.yml   | 46 ++++++++++++
 experimental/generated/csv/fields.csv         |  7 ++
 experimental/generated/ecs/ecs_flat.yml       | 74 +++++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 74 +++++++++++++++++++
 .../generated/elasticsearch/7/template.json   | 50 +++++++++++++
 .../elasticsearch/component/host.json         | 50 +++++++++++++
 experimental/schemas/host.yml                 | 61 +++++++++++++++
 7 files changed, 362 insertions(+)

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 16c38aefca..6c7bab42a6 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2047,6 +2047,28 @@
       ignore_above: 1024
       description: Operating system architecture.
       example: x86_64
+    - name: cpu.usage
+      level: extended
+      type: scaled_float
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1. Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      scaling_factor: 1000
+      default_field: false
+    - name: disk.read.bytes
+      level: extended
+      type: long
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      default_field: false
+    - name: disk.write.bytes
+      level: extended
+      type: long
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      default_field: false
     - name: domain
       level: extended
       type: keyword
@@ -2143,6 +2165,30 @@
         It can contain what `hostname` returns on Unix systems, the fully qualified
         domain name, or a name specified by the user. The sender decides which value
         to use.'
+    - name: network.egress.bytes
+      level: extended
+      type: long
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.egress.packets
+      level: extended
+      type: long
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.ingress.bytes
+      level: extended
+      type: long
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.ingress.packets
+      level: extended
+      type: long
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 2c83d5823d..1912a88568 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -230,6 +230,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
 1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+1.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+1.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
 1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
 1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
 1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
@@ -244,6 +247,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
 1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses.
 1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+1.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+1.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+1.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+1.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
 1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 255173741f..9f8aa0a1b6 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3182,6 +3182,40 @@ host.architecture:
   normalize: []
   short: Operating system architecture.
   type: keyword
+host.cpu.usage:
+  dashed_name: host-cpu-usage
+  description: 'Percent CPU used which is normalized by the number of CPU cores and
+    it ranges from 0 to 1. Scaling factor: 1000.
+
+    For example: For a two core host, this value should be the average of the two
+    cores, between 0 and 1.'
+  flat_name: host.cpu.usage
+  level: extended
+  name: cpu.usage
+  normalize: []
+  scaling_factor: 1000
+  short: Percent CPU used, between 0 and 1.
+  type: scaled_float
+host.disk.read.bytes:
+  dashed_name: host-disk-read-bytes
+  description: The total number of bytes (gauge) read successfully (aggregated from
+    all disks) since the last metric collection.
+  flat_name: host.disk.read.bytes
+  level: extended
+  name: disk.read.bytes
+  normalize: []
+  short: The number of bytes read by all disks.
+  type: long
+host.disk.write.bytes:
+  dashed_name: host-disk-write-bytes
+  description: The total number of bytes (gauge) written successfully (aggregated
+    from all disks) since the last metric collection.
+  flat_name: host.disk.write.bytes
+  level: extended
+  name: disk.write.bytes
+  normalize: []
+  short: The number of bytes written on all disks.
+  type: long
 host.domain:
   dashed_name: host-domain
   description: 'Name of the domain of which the host is a member.
@@ -3355,6 +3389,46 @@ host.name:
   normalize: []
   short: Name of the host.
   type: keyword
+host.network.egress.bytes:
+  dashed_name: host-network-egress-bytes
+  description: The number of bytes (gauge) sent out on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.egress.bytes
+  level: extended
+  name: network.egress.bytes
+  normalize: []
+  short: The number of bytes sent on all network interfaces.
+  type: long
+host.network.egress.packets:
+  dashed_name: host-network-egress-packets
+  description: The number of packets (gauge) sent out on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.egress.packets
+  level: extended
+  name: network.egress.packets
+  normalize: []
+  short: The number of packets sent on all network interfaces.
+  type: long
+host.network.ingress.bytes:
+  dashed_name: host-network-ingress-bytes
+  description: The number of bytes received (gauge) on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.ingress.bytes
+  level: extended
+  name: network.ingress.bytes
+  normalize: []
+  short: The number of bytes received on all network interfaces.
+  type: long
+host.network.ingress.packets:
+  dashed_name: host-network-ingress-packets
+  description: The number of packets (gauge) received on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.ingress.packets
+  level: extended
+  name: network.ingress.packets
+  normalize: []
+  short: The number of packets received on all network interfaces.
+  type: long
 host.os.family:
   dashed_name: host-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 5072c1b3de..f6c475532c 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -3843,6 +3843,40 @@ host:
       normalize: []
       short: Operating system architecture.
       type: keyword
+    host.cpu.usage:
+      dashed_name: host-cpu-usage
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1. Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      flat_name: host.cpu.usage
+      level: extended
+      name: cpu.usage
+      normalize: []
+      scaling_factor: 1000
+      short: Percent CPU used, between 0 and 1.
+      type: scaled_float
+    host.disk.read.bytes:
+      dashed_name: host-disk-read-bytes
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.read.bytes
+      level: extended
+      name: disk.read.bytes
+      normalize: []
+      short: The number of bytes read by all disks.
+      type: long
+    host.disk.write.bytes:
+      dashed_name: host-disk-write-bytes
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.write.bytes
+      level: extended
+      name: disk.write.bytes
+      normalize: []
+      short: The number of bytes written on all disks.
+      type: long
     host.domain:
       dashed_name: host-domain
       description: 'Name of the domain of which the host is a member.
@@ -4018,6 +4052,46 @@ host:
       normalize: []
       short: Name of the host.
       type: keyword
+    host.network.egress.bytes:
+      dashed_name: host-network-egress-bytes
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.bytes
+      level: extended
+      name: network.egress.bytes
+      normalize: []
+      short: The number of bytes sent on all network interfaces.
+      type: long
+    host.network.egress.packets:
+      dashed_name: host-network-egress-packets
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.packets
+      level: extended
+      name: network.egress.packets
+      normalize: []
+      short: The number of packets sent on all network interfaces.
+      type: long
+    host.network.ingress.bytes:
+      dashed_name: host-network-ingress-bytes
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.bytes
+      level: extended
+      name: network.ingress.bytes
+      normalize: []
+      short: The number of bytes received on all network interfaces.
+      type: long
+    host.network.ingress.packets:
+      dashed_name: host-network-ingress-packets
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.packets
+      level: extended
+      name: network.ingress.packets
+      normalize: []
+      short: The number of packets received on all network interfaces.
+      type: long
     host.os.family:
       dashed_name: host-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 1ae21ee498..0fe6ffed2b 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1046,6 +1046,32 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "cpu": {
+            "properties": {
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "disk": {
+            "properties": {
+              "read": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "write": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
           "domain": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -1102,6 +1128,30 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "network": {
+            "properties": {
+              "egress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              },
+              "ingress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
           "os": {
             "properties": {
               "family": {
diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json
index 19c9898702..72a4bf410b 100644
--- a/experimental/generated/elasticsearch/component/host.json
+++ b/experimental/generated/elasticsearch/component/host.json
@@ -12,6 +12,32 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "cpu": {
+              "properties": {
+                "usage": {
+                  "scaling_factor": 1000,
+                  "type": "scaled_float"
+                }
+              }
+            },
+            "disk": {
+              "properties": {
+                "read": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "write": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
             "domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -68,6 +94,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "network": {
+              "properties": {
+                "egress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "ingress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
             "os": {
               "properties": {
                 "family": {
diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml
index 91f3d1bbc2..1185d03e0b 100644
--- a/experimental/schemas/host.yml
+++ b/experimental/schemas/host.yml
@@ -2,3 +2,64 @@
   fields:
     - name: hostname
       type: wildcard
+
+    # RFC 0005
+    - name: cpu.usage
+      type: scaled_float
+      scaling_factor: 1000
+      level: extended
+      short: Percent CPU used, between 0 and 1.
+      description: >
+        Percent CPU used which is normalized by the number of CPU cores and it
+        ranges from 0 to 1. Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.
+
+    - name: network.ingress.bytes
+      type: long
+      level: extended
+      short: The number of bytes received on all network interfaces.
+      description: >
+        The number of bytes received (gauge) on all network interfaces by the
+        host since the last metric collection.
+
+    - name: network.ingress.packets
+      type: long
+      level: extended
+      short: The number of packets received on all network interfaces.
+      description: >
+        The number of packets (gauge) received on all network interfaces by the
+        host since the last metric collection.
+
+    - name: network.egress.bytes
+      type: long
+      level: extended
+      short: The number of bytes sent on all network interfaces.
+      description: >
+        The number of bytes (gauge) sent out on all network interfaces by the
+        host since the last metric collection.
+
+    - name: network.egress.packets
+      type: long
+      level: extended
+      short: The number of packets sent on all network interfaces.
+      description: >
+        The number of packets (gauge) sent out on all network interfaces by the
+        host since the last metric collection.
+
+    - name: disk.read.bytes
+      type: long
+      level: extended
+      short: The number of bytes read by all disks.
+      description: >
+        The total number of bytes (gauge) read successfully (aggregated from all
+        disks) since the last metric collection.
+
+    - name: disk.write.bytes
+      type: long
+      level: extended
+      short: The number of bytes written on all disks.
+      description: >
+        The total number of bytes (gauge) written successfully (aggregated from
+        all disks) since the last metric collection.

From 0e94d2df1bedb300d11c8c485c313eed23af1f95 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 10 Dec 2020 16:39:00 -0600
Subject: [PATCH 59/90] [1.x] Stage 3 changes for wildcard RFC 0001 (#1098)
 (#1183)

---
 code/go/ecs/event.go                          |   4 +-
 docs/field-details.asciidoc                   | 314 ++++++----
 experimental/generated/beats/fields.ecs.yml   |   3 +-
 experimental/generated/ecs/ecs_flat.yml       | 205 ++++++-
 experimental/generated/ecs/ecs_nested.yml     | 219 ++++++-
 experimental/schemas/agent.yml                |   5 -
 experimental/schemas/as.yml                   |   5 -
 experimental/schemas/client.yml               |   7 -
 experimental/schemas/destination.yml          |   7 -
 experimental/schemas/dns.yml                  |   9 -
 experimental/schemas/error.yml                |   9 -
 experimental/schemas/file.yml                 |   9 -
 experimental/schemas/geo.yml                  |   5 -
 experimental/schemas/host.yml                 |   3 -
 experimental/schemas/http.yml                 |   9 -
 experimental/schemas/log.yml                  |   7 -
 experimental/schemas/organization.yml         |   5 -
 experimental/schemas/os.yml                   |   7 -
 experimental/schemas/pe.yml                   |   5 -
 experimental/schemas/process.yml              |  15 -
 experimental/schemas/registry.yml             |   9 -
 experimental/schemas/server.yml               |   7 -
 experimental/schemas/source.yml               |   7 -
 experimental/schemas/tls.yml                  |  11 -
 experimental/schemas/url.yml                  |  13 -
 experimental/schemas/user.yml                 |   9 -
 experimental/schemas/user_agent.yml           |   5 -
 experimental/schemas/x509.yml                 |   7 -
 generated/beats/fields.ecs.yml                | 328 ++++-------
 generated/csv/fields.csv                      | 204 +++----
 generated/ecs/ecs_flat.yml                    | 510 +++++++++-------
 generated/ecs/ecs_nested.yml                  | 545 +++++++++++-------
 generated/elasticsearch/7/template.json       | 305 ++++------
 generated/elasticsearch/component/agent.json  |   3 +-
 generated/elasticsearch/component/client.json |  21 +-
 .../elasticsearch/component/destination.json  |  21 +-
 generated/elasticsearch/component/dll.json    |   3 +-
 generated/elasticsearch/component/dns.json    |   6 +-
 generated/elasticsearch/component/error.json  |   8 +-
 generated/elasticsearch/component/file.json   |  18 +-
 generated/elasticsearch/component/host.json   |  21 +-
 generated/elasticsearch/component/http.json   |   9 +-
 generated/elasticsearch/component/log.json    |   6 +-
 .../elasticsearch/component/observer.json     |   9 +-
 .../elasticsearch/component/organization.json |   3 +-
 .../elasticsearch/component/process.json      |  42 +-
 .../elasticsearch/component/registry.json     |   9 +-
 generated/elasticsearch/component/server.json |  21 +-
 generated/elasticsearch/component/source.json |  21 +-
 generated/elasticsearch/component/tls.json    |  24 +-
 generated/elasticsearch/component/url.json    |  15 +-
 generated/elasticsearch/component/user.json   |  36 +-
 .../elasticsearch/component/user_agent.json   |   9 +-
 schemas/agent.yml                             |   3 +-
 schemas/as.yml                                |   3 +-
 schemas/client.yml                            |   6 +-
 schemas/destination.yml                       |   6 +-
 schemas/dns.yml                               |   6 +-
 schemas/error.yml                             |   7 +-
 schemas/event.yml                             |   4 +-
 schemas/file.yml                              |   9 +-
 schemas/geo.yml                               |   3 +-
 schemas/host.yml                              |   3 +-
 schemas/http.yml                              |   9 +-
 schemas/log.yml                               |   6 +-
 schemas/organization.yml                      |   3 +-
 schemas/os.yml                                |   6 +-
 schemas/pe.yml                                |   3 +-
 schemas/process.yml                           |  18 +-
 schemas/registry.yml                          |   9 +-
 schemas/server.yml                            |   6 +-
 schemas/source.yml                            |   6 +-
 schemas/tls.yml                               |  12 +-
 schemas/url.yml                               |  15 +-
 schemas/user.yml                              |   9 +-
 schemas/user_agent.yml                        |   3 +-
 schemas/x509.yml                              |   6 +-
 use-cases/auditbeat.md                        |   4 +-
 use-cases/filebeat-apache-access.md           |   4 +-
 use-cases/kubernetes.md                       |   2 +-
 use-cases/metricbeat.md                       |   2 +-
 use-cases/web-logs.md                         |   6 +-
 82 files changed, 1797 insertions(+), 1499 deletions(-)
 delete mode 100644 experimental/schemas/agent.yml
 delete mode 100644 experimental/schemas/as.yml
 delete mode 100644 experimental/schemas/client.yml
 delete mode 100644 experimental/schemas/destination.yml
 delete mode 100644 experimental/schemas/dns.yml
 delete mode 100644 experimental/schemas/error.yml
 delete mode 100644 experimental/schemas/file.yml
 delete mode 100644 experimental/schemas/geo.yml
 delete mode 100644 experimental/schemas/http.yml
 delete mode 100644 experimental/schemas/log.yml
 delete mode 100644 experimental/schemas/organization.yml
 delete mode 100644 experimental/schemas/os.yml
 delete mode 100644 experimental/schemas/pe.yml
 delete mode 100644 experimental/schemas/process.yml
 delete mode 100644 experimental/schemas/registry.yml
 delete mode 100644 experimental/schemas/server.yml
 delete mode 100644 experimental/schemas/source.yml
 delete mode 100644 experimental/schemas/tls.yml
 delete mode 100644 experimental/schemas/url.yml
 delete mode 100644 experimental/schemas/user.yml
 delete mode 100644 experimental/schemas/user_agent.yml
 delete mode 100644 experimental/schemas/x509.yml

diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go
index affd9c8250..1dfdf696c4 100644
--- a/code/go/ecs/event.go
+++ b/code/go/ecs/event.go
@@ -132,7 +132,9 @@ type Event struct {
 
 	// Raw text message of entire event. Used to demonstrate log integrity.
 	// This field is not indexed and doc_values are disabled. It cannot be
-	// searched, but it can be retrieved from `_source`.
+	// searched, but it can be retrieved from `_source`. If users wish to
+	// override this and index this field, consider using the wildcard data
+	// type.
 	Original string `ecs:"original"`
 
 	// Hash (perhaps logstash fingerprint) of raw field to be able to
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 7bfc74e85a..90fec37b2b 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -115,11 +115,13 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha
 [[field-agent-build-original]]
 <<field-agent-build-original, agent.build.original>>
 
-| Extended build information for the agent.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Extended build information for the agent.
 
 This field is intended to contain any build information that a data source may provide, no specific formatting is required.
 
-type: keyword
+type: wildcard
 
 
 
@@ -255,9 +257,11 @@ example: `15169`
 [[field-as-organization-name]]
 <<field-as-organization-name, as.organization.name>>
 
-| Organization name.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Organization name.
+
+type: wildcard
 
 Multi-fields:
 
@@ -341,9 +345,11 @@ example: `184`
 [[field-client-domain]]
 <<field-client-domain, client.domain>>
 
-| Client domain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Client domain.
+
+type: wildcard
 
 
 
@@ -457,13 +463,15 @@ type: long
 [[field-client-registered-domain]]
 <<field-client-registered-domain, client.registered_domain>>
 
-| The highest registered client domain, stripped of the subdomain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The highest registered client domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: keyword
+type: wildcard
 
 
 
@@ -1015,9 +1023,11 @@ example: `184`
 [[field-destination-domain]]
 <<field-destination-domain, destination.domain>>
 
-| Destination domain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Destination domain.
+
+type: wildcard
 
 
 
@@ -1131,13 +1141,15 @@ type: long
 [[field-destination-registered-domain]]
 <<field-destination-registered-domain, destination.registered_domain>>
 
-| The highest registered destination domain, stripped of the subdomain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The highest registered destination domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: keyword
+type: wildcard
 
 
 
@@ -1378,11 +1390,13 @@ example: `IN`
 [[field-dns-answers-data]]
 <<field-dns-answers-data, dns.answers.data>>
 
-| The data describing the resource.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The data describing the resource.
 
 The meaning of this data depends on the type and class of the resource record.
 
-type: keyword
+type: wildcard
 
 
 
@@ -1515,11 +1529,13 @@ example: `IN`
 [[field-dns-question-name]]
 <<field-dns-question-name, dns.question.name>>
 
-| The name being queried.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The name being queried.
 
 If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
 
-type: keyword
+type: wildcard
 
 
 
@@ -1762,9 +1778,11 @@ type: text
 [[field-error-stack-trace]]
 <<field-error-stack-trace, error.stack_trace>>
 
-| The stack trace of this error in plain text.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+The stack trace of this error in plain text.
+
+type: wildcard
 
 Multi-fields:
 
@@ -1784,9 +1802,11 @@ Multi-fields:
 [[field-error-type]]
 <<field-error-type, error.type>>
 
-| The type of the error, for example the class name of the exception.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+The type of the error, for example the class name of the exception.
+
+type: wildcard
 
 
 
@@ -2059,7 +2079,7 @@ example: `apache`
 
 | Raw text message of entire event. Used to demonstrate log integrity.
 
-This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.
+This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type.
 
 type: keyword
 
@@ -2423,9 +2443,11 @@ example: `sda`
 [[field-file-directory]]
 <<field-file-directory, file.directory>>
 
-| Directory where the file is located. It should include the drive letter, when appropriate.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: wildcard
 
 
 
@@ -2603,9 +2625,11 @@ example: `alice`
 [[field-file-path]]
 <<field-file-path, file.path>>
 
-| Full path to the file, including the file name. It should include the drive letter, when appropriate.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: wildcard
 
 Multi-fields:
 
@@ -2643,9 +2667,11 @@ example: `16384`
 [[field-file-target-path]]
 <<field-file-target-path, file.target_path>>
 
-| Target path for symlinks.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Target path for symlinks.
+
+type: wildcard
 
 Multi-fields:
 
@@ -2838,13 +2864,15 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }`
 [[field-geo-name]]
 <<field-geo-name, geo.name>>
 
-| User-defined description of a location, at the level of granularity they care about.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+User-defined description of a location, at the level of granularity they care about.
 
 Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
 
 Not typically used in automated geolocation.
 
-type: keyword
+type: wildcard
 
 
 
@@ -3120,11 +3148,13 @@ example: `CONTOSO`
 [[field-host-hostname]]
 <<field-host-hostname, host.hostname>>
 
-| Hostname of the host.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Hostname of the host.
 
 It normally contains what the `hostname` command returns on the host machine.
 
-type: keyword
+type: wildcard
 
 
 
@@ -3317,9 +3347,11 @@ example: `887`
 [[field-http-request-body-content]]
 <<field-http-request-body-content, http.request.body.content>>
 
-| The full HTTP request body.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+The full HTTP request body.
+
+type: wildcard
 
 Multi-fields:
 
@@ -3395,9 +3427,11 @@ example: `image/gif`
 [[field-http-request-referrer]]
 <<field-http-request-referrer, http.request.referrer>>
 
-| Referrer for this HTTP request.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Referrer for this HTTP request.
+
+type: wildcard
 
 
 
@@ -3427,9 +3461,11 @@ example: `887`
 [[field-http-response-body-content]]
 <<field-http-response-body-content, http.response.body.content>>
 
-| The full HTTP response body.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+The full HTTP response body.
+
+type: wildcard
 
 Multi-fields:
 
@@ -3609,11 +3645,13 @@ The details specific to your event source are typically not logged under `log.*`
 [[field-log-file-path]]
 <<field-log-file-path, log.file.path>>
 
-| Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
 
 If the event wasn't read from a log file, do not populate this field.
 
-type: keyword
+type: wildcard
 
 
 
@@ -3647,9 +3685,11 @@ example: `error`
 [[field-log-logger]]
 <<field-log-logger, log.logger>>
 
-| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: wildcard
 
 
 
@@ -4443,9 +4483,11 @@ type: keyword
 [[field-organization-name]]
 <<field-organization-name, organization.name>>
 
-| Organization name.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Organization name.
+
+type: wildcard
 
 Multi-fields:
 
@@ -4497,9 +4539,11 @@ example: `debian`
 [[field-os-full]]
 <<field-os-full, os.full>>
 
-| Operating system name, including the version or code name.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Operating system name, including the version or code name.
+
+type: wildcard
 
 Multi-fields:
 
@@ -4535,9 +4579,11 @@ example: `4.4.0-112-generic`
 [[field-os-name]]
 <<field-os-name, os.name>>
 
-| Operating system name, without the version.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Operating system name, without the version.
+
+type: wildcard
 
 Multi-fields:
 
@@ -4947,9 +4993,11 @@ example: `0c6803c4e922103c4dca5963aad36ddf`
 [[field-pe-original-file-name]]
 <<field-pe-original-file-name, pe.original_file_name>>
 
-| Internal name of the file, provided at compile-time.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Internal name of the file, provided at compile-time.
+
+type: wildcard
 
 
 
@@ -5046,11 +5094,13 @@ example: `4`
 [[field-process-command-line]]
 <<field-process-command-line, process.command_line>>
 
-| Full command line that started the process, including the absolute path to the executable, and all arguments.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Full command line that started the process, including the absolute path to the executable, and all arguments.
 
 Some arguments may be filtered to protect sensitive information.
 
-type: keyword
+type: wildcard
 
 Multi-fields:
 
@@ -5090,9 +5140,11 @@ example: `c2c455d9f99375d`
 [[field-process-executable]]
 <<field-process-executable, process.executable>>
 
-| Absolute path to the process executable.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Absolute path to the process executable.
+
+type: wildcard
 
 Multi-fields:
 
@@ -5130,11 +5182,13 @@ example: `137`
 [[field-process-name]]
 <<field-process-name, process.name>>
 
-| Process name.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Process name.
 
 Sometimes called program name or similar.
 
-type: keyword
+type: wildcard
 
 Multi-fields:
 
@@ -5234,9 +5288,11 @@ example: `4242`
 [[field-process-thread-name]]
 <<field-process-thread-name, process.thread.name>>
 
-| Thread name.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Thread name.
+
+type: wildcard
 
 
 
@@ -5250,11 +5306,13 @@ example: `thread-0`
 [[field-process-title]]
 <<field-process-title, process.title>>
 
-| Process title.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Process title.
 
 The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
 
-type: keyword
+type: wildcard
 
 Multi-fields:
 
@@ -5290,9 +5348,11 @@ example: `1325`
 [[field-process-working-directory]]
 <<field-process-working-directory, process.working_directory>>
 
-| The working directory of the process.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+The working directory of the process.
+
+type: wildcard
 
 Multi-fields:
 
@@ -5393,11 +5453,13 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=`
 [[field-registry-data-strings]]
 <<field-registry-data-strings, registry.data.strings>>
 
-| Content when writing string types.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Content when writing string types.
 
 Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
 
-type: keyword
+type: wildcard
 
 
 Note: this field should contain an array of values.
@@ -5446,9 +5508,11 @@ example: `HKLM`
 [[field-registry-key]]
 <<field-registry-key, registry.key>>
 
-| Hive-relative path of keys.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Hive-relative path of keys.
+
+type: wildcard
 
 
 
@@ -5462,9 +5526,11 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
 [[field-registry-path]]
 <<field-registry-path, registry.path>>
 
-| Full path, including hive, key and value
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Full path, including hive, key and value
+
+type: wildcard
 
 
 
@@ -5827,9 +5893,11 @@ example: `184`
 [[field-server-domain]]
 <<field-server-domain, server.domain>>
 
-| Server domain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Server domain.
+
+type: wildcard
 
 
 
@@ -5943,13 +6011,15 @@ type: long
 [[field-server-registered-domain]]
 <<field-server-registered-domain, server.registered_domain>>
 
-| The highest registered server domain, stripped of the subdomain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The highest registered server domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: keyword
+type: wildcard
 
 
 
@@ -6238,9 +6308,11 @@ example: `184`
 [[field-source-domain]]
 <<field-source-domain, source.domain>>
 
-| Source domain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Source domain.
+
+type: wildcard
 
 
 
@@ -6354,13 +6426,15 @@ type: long
 [[field-source-registered-domain]]
 <<field-source-registered-domain, source.registered_domain>>
 
-| The highest registered source domain, stripped of the subdomain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The highest registered source domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: keyword
+type: wildcard
 
 
 
@@ -6779,9 +6853,11 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0`
 [[field-tls-client-issuer]]
 <<field-tls-client-issuer, tls.client.issuer>>
 
-| Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: wildcard
 
 
 
@@ -6859,9 +6935,11 @@ example: `www.elastic.co`
 [[field-tls-client-subject]]
 <<field-tls-client-subject, tls.client.subject>>
 
-| Distinguished name of subject of the x.509 certificate presented by the client.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: wildcard
 
 
 
@@ -7041,9 +7119,11 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0`
 [[field-tls-server-issuer]]
 <<field-tls-server-issuer, tls.server.issuer>>
 
-| Subject of the issuer of the x.509 certificate presented by the server.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Subject of the issuer of the x.509 certificate presented by the server.
+
+type: wildcard
 
 
 
@@ -7105,9 +7185,11 @@ example: `1970-01-01T00:00:00.000Z`
 [[field-tls-server-subject]]
 <<field-tls-server-subject, tls.server.subject>>
 
-| Subject of the x.509 certificate presented by the server.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Subject of the x.509 certificate presented by the server.
+
+type: wildcard
 
 
 
@@ -7272,13 +7354,15 @@ URL fields provide support for complete or partial URLs, and supports the breaki
 [[field-url-domain]]
 <<field-url-domain, url.domain>>
 
-| Domain of the url, such as "www.elastic.co".
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Domain of the url, such as "www.elastic.co".
 
 In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
 
 If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
 
-type: keyword
+type: wildcard
 
 
 
@@ -7332,9 +7416,11 @@ type: keyword
 [[field-url-full]]
 <<field-url-full, url.full>>
 
-| If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
 
 Multi-fields:
 
@@ -7354,13 +7440,15 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top`
 [[field-url-original]]
 <<field-url-original, url.original>>
 
-| Unmodified original url as seen in the event source.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+Unmodified original url as seen in the event source.
 
 Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
 
 This field is meant to represent the URL as it was observed, complete or not.
 
-type: keyword
+type: wildcard
 
 Multi-fields:
 
@@ -7396,9 +7484,11 @@ type: keyword
 [[field-url-path]]
 <<field-url-path, url.path>>
 
-| Path of the request, such as "/search".
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Path of the request, such as "/search".
+
+type: wildcard
 
 
 
@@ -7446,13 +7536,15 @@ type: keyword
 [[field-url-registered-domain]]
 <<field-url-registered-domain, url.registered_domain>>
 
-| The highest registered url domain, stripped of the subdomain.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+
+The highest registered url domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: keyword
+type: wildcard
 
 
 
@@ -7576,9 +7668,11 @@ type: keyword
 [[field-user-email]]
 <<field-user-email, user.email>>
 
-| User email address.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+User email address.
+
+type: wildcard
 
 
 
@@ -7592,9 +7686,11 @@ type: keyword
 [[field-user-full-name]]
 <<field-user-full-name, user.full_name>>
 
-| User's full name, if available.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+User's full name, if available.
+
+type: wildcard
 
 Multi-fields:
 
@@ -7648,9 +7744,11 @@ type: keyword
 [[field-user-name]]
 <<field-user-name, user.name>>
 
-| Short name or login of the user.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Short name or login of the user.
+
+type: wildcard
 
 Multi-fields:
 
@@ -7793,9 +7891,11 @@ example: `Safari`
 [[field-user-agent-original]]
 <<field-user-agent-original, user_agent.original>>
 
-| Unparsed user_agent string.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Unparsed user_agent string.
+
+type: wildcard
 
 Multi-fields:
 
@@ -8240,9 +8340,11 @@ example: `US`
 [[field-x509-issuer-distinguished-name]]
 <<field-x509-issuer-distinguished-name, x509.issuer.distinguished_name>>
 
-| Distinguished name (DN) of issuing certificate authority.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Distinguished name (DN) of issuing certificate authority.
+
+type: wildcard
 
 
 
@@ -8498,9 +8600,11 @@ example: `US`
 [[field-x509-subject-distinguished-name]]
 <<field-x509-subject-distinguished-name, x509.subject.distinguished_name>>
 
-| Distinguished name (DN) of the certificate subject entity.
+| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
 
-type: keyword
+Distinguished name (DN) of the certificate subject entity.
+
+type: wildcard
 
 
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 6c7bab42a6..9a58688014 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1334,7 +1334,8 @@
       description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
         This field is not indexed and doc_values are disabled. It cannot be searched,
-        but it can be retrieved from `_source`.'
+        but it can be retrieved from `_source`. If users wish to override this and
+        index this field, consider using the wildcard data type.'
       example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
         worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
       index: false
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 9f8aa0a1b6..8997fffccf 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -18,6 +18,8 @@
   short: Date/time when the event originated.
   type: date
 agent.build.original:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: agent-build-original
   description: 'Extended build information for the agent.
 
@@ -128,6 +130,8 @@ client.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 client.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -155,6 +159,8 @@ client.bytes:
   short: Bytes sent from the client to the server.
   type: long
 client.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-domain
   description: Client domain.
   flat_name: client.domain
@@ -223,6 +229,8 @@ client.geo.location:
   short: Longitude and latitude.
   type: geo_point
 client.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -328,6 +336,8 @@ client.port:
   short: Port of the client.
   type: long
 client.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-registered-domain
   description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -392,6 +402,8 @@ client.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 client.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-user-email
   description: User email address.
   flat_name: client.user.email
@@ -402,6 +414,8 @@ client.user.email:
   short: User email address.
   type: wildcard
 client.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -479,6 +493,8 @@ client.user.id:
   short: Unique identifier of the user.
   type: keyword
 client.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-user-name
   description: Short name or login of the user.
   example: albert
@@ -717,6 +733,8 @@ destination.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 destination.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -744,6 +762,8 @@ destination.bytes:
   short: Bytes sent from the destination to the source.
   type: long
 destination.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-domain
   description: Destination domain.
   flat_name: destination.domain
@@ -812,6 +832,8 @@ destination.geo.location:
   short: Longitude and latitude.
   type: geo_point
 destination.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -916,6 +938,8 @@ destination.port:
   short: Port of the destination.
   type: long
 destination.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-registered-domain
   description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -980,6 +1004,8 @@ destination.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 destination.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-user-email
   description: User email address.
   flat_name: destination.user.email
@@ -990,6 +1016,8 @@ destination.user.email:
   short: User email address.
   type: wildcard
 destination.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -1067,6 +1095,8 @@ destination.user.id:
   short: Unique identifier of the user.
   type: keyword
 destination.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-user-name
   description: Short name or login of the user.
   example: albert
@@ -1296,6 +1326,8 @@ dll.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 dll.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -1349,6 +1381,8 @@ dns.answers.class:
   short: The class of DNS data contained in this resource record.
   type: keyword
 dns.answers.data:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: dns-answers-data
   description: 'The data describing the resource.
 
@@ -1449,6 +1483,8 @@ dns.question.class:
   short: The class of records being queried.
   type: keyword
 dns.question.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: dns-question-name
   description: 'The name being queried.
 
@@ -1615,6 +1651,8 @@ error.message:
   short: Error message.
   type: text
 error.stack_trace:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: error-stack-trace
   description: The stack trace of this error in plain text.
   flat_name: error.stack_trace
@@ -1629,6 +1667,8 @@ error.stack_trace:
   short: The stack trace of this error in plain text.
   type: wildcard
 error.type:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: error-type
   description: The type of the error, for example the class name of the exception.
   example: java.lang.NullPointerException
@@ -2051,7 +2091,8 @@ event.original:
   description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
     This field is not indexed and doc_values are disabled. It cannot be searched,
-    but it can be retrieved from `_source`.'
+    but it can be retrieved from `_source`. If users wish to override this and index
+    this field, consider using the wildcard data type.'
   doc_values: false
   example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
     worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
@@ -2514,6 +2555,8 @@ file.device:
   short: Device that is the source of the file.
   type: keyword
 file.directory:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-directory
   description: Directory where the file is located. It should include the drive letter,
     when appropriate.
@@ -2685,6 +2728,8 @@ file.owner:
   short: File owner's username.
   type: keyword
 file.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-path
   description: Full path to the file, including the file name. It should include the
     drive letter, when appropriate.
@@ -2765,6 +2810,8 @@ file.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 file.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -2800,6 +2847,8 @@ file.size:
   short: File size in bytes.
   type: long
 file.target_path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-target-path
   description: Target path for symlinks.
   flat_name: file.target_path
@@ -2877,6 +2926,8 @@ file.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 file.x509.issuer.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -3066,6 +3117,8 @@ file.x509.subject.country:
   short: List of country (C) code
   type: keyword
 file.x509.subject.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -3290,6 +3343,8 @@ host.geo.location:
   short: Longitude and latitude.
   type: geo_point
 host.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -3331,6 +3386,8 @@ host.geo.region_name:
   short: Region name.
   type: keyword
 host.hostname:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-hostname
   description: 'Hostname of the host.
 
@@ -3442,6 +3499,8 @@ host.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 host.os.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
@@ -3470,6 +3529,8 @@ host.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 host.os.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-os-name
   description: Operating system name, without the version.
   example: Mac OS X
@@ -3565,6 +3626,8 @@ host.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 host.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-user-email
   description: User email address.
   flat_name: host.user.email
@@ -3575,6 +3638,8 @@ host.user.email:
   short: User email address.
   type: wildcard
 host.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -3652,6 +3717,8 @@ host.user.id:
   short: Unique identifier of the user.
   type: keyword
 host.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-user-name
   description: Short name or login of the user.
   example: albert
@@ -3692,6 +3759,8 @@ http.request.body.bytes:
   short: Size in bytes of the request body.
   type: long
 http.request.body.content:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: http-request-body-content
   description: The full HTTP request body.
   example: Hello world
@@ -3751,6 +3820,8 @@ http.request.mime_type:
   short: Mime type of the body of the request.
   type: keyword
 http.request.referrer:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: http-request-referrer
   description: Referrer for this HTTP request.
   example: https://blog.example.com/
@@ -3772,6 +3843,8 @@ http.response.body.bytes:
   short: Size in bytes of the response body.
   type: long
 http.response.body.content:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: http-response-body-content
   description: The full HTTP response body.
   example: Hello world
@@ -3851,6 +3924,8 @@ labels:
   short: Custom key/value pairs.
   type: object
 log.file.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: log-file-path
   description: 'Full path to the log file this event came from, including the file
     name. It should include the drive letter, when appropriate.
@@ -3881,6 +3956,8 @@ log.level:
   short: Log level of the log event.
   type: keyword
 log.logger:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: log-logger
   description: The name of the logger inside an application. This is usually the name
     of the class which initialized the logger, or can be a custom name.
@@ -4411,6 +4488,8 @@ observer.geo.location:
   short: Longitude and latitude.
   type: geo_point
 observer.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: observer-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -4597,6 +4676,8 @@ observer.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 observer.os.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: observer-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
@@ -4625,6 +4706,8 @@ observer.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 observer.os.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: observer-os-name
   description: Operating system name, without the version.
   example: Mac OS X
@@ -4750,6 +4833,8 @@ organization.id:
   short: Unique identifier for the organization.
   type: keyword
 organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: organization-name
   description: Organization name.
   flat_name: organization.name
@@ -5010,6 +5095,8 @@ process.code_signature.valid:
     content.
   type: boolean
 process.command_line:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5047,6 +5134,8 @@ process.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.executable:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
@@ -5119,6 +5208,8 @@ process.hash.sha512:
   short: SHA512 hash.
   type: keyword
 process.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-name
   description: 'Process name.
 
@@ -5235,6 +5326,8 @@ process.parent.code_signature.valid:
     content.
   type: boolean
 process.parent.command_line:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5274,6 +5367,8 @@ process.parent.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.parent.executable:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
@@ -5348,6 +5443,8 @@ process.parent.hash.sha512:
   short: SHA512 hash.
   type: keyword
 process.parent.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-name
   description: 'Process name.
 
@@ -5430,6 +5527,8 @@ process.parent.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.parent.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -5511,6 +5610,8 @@ process.parent.thread.id:
   short: Thread ID.
   type: long
 process.parent.thread.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-thread-name
   description: Thread name.
   example: thread-0
@@ -5522,6 +5623,8 @@ process.parent.thread.name:
   short: Thread name.
   type: wildcard
 process.parent.title:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-title
   description: 'Process title.
 
@@ -5551,6 +5654,8 @@ process.parent.uptime:
   short: Seconds the process has been up.
   type: long
 process.parent.working_directory:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-working-directory
   description: The working directory of the process.
   example: /home/alice
@@ -5631,6 +5736,8 @@ process.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -5707,6 +5814,8 @@ process.thread.id:
   short: Thread ID.
   type: long
 process.thread.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-thread-name
   description: Thread name.
   example: thread-0
@@ -5717,6 +5826,8 @@ process.thread.name:
   short: Thread name.
   type: wildcard
 process.title:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-title
   description: 'Process title.
 
@@ -5744,6 +5855,8 @@ process.uptime:
   short: Seconds the process has been up.
   type: long
 process.working_directory:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-working-directory
   description: The working directory of the process.
   example: /home/alice
@@ -5774,6 +5887,8 @@ registry.data.bytes:
   short: Original bytes written with base64 encoding.
   type: keyword
 registry.data.strings:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: registry-data-strings
   description: 'Content when writing string types.
 
@@ -5813,6 +5928,8 @@ registry.hive:
   short: Abbreviated name for the hive.
   type: keyword
 registry.key:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: registry-key
   description: Hive-relative path of keys.
   example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
@@ -5823,6 +5940,8 @@ registry.key:
   short: Hive-relative path of keys.
   type: wildcard
 registry.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: registry-path
   description: Full path, including hive, key and value
   example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
@@ -6040,6 +6159,8 @@ server.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 server.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -6067,6 +6188,8 @@ server.bytes:
   short: Bytes sent from the server to the client.
   type: long
 server.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-domain
   description: Server domain.
   flat_name: server.domain
@@ -6135,6 +6258,8 @@ server.geo.location:
   short: Longitude and latitude.
   type: geo_point
 server.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6240,6 +6365,8 @@ server.port:
   short: Port of the server.
   type: long
 server.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-registered-domain
   description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -6304,6 +6431,8 @@ server.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 server.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-user-email
   description: User email address.
   flat_name: server.user.email
@@ -6314,6 +6443,8 @@ server.user.email:
   short: User email address.
   type: wildcard
 server.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -6391,6 +6522,8 @@ server.user.id:
   short: Unique identifier of the user.
   type: keyword
 server.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-user-name
   description: Short name or login of the user.
   example: albert
@@ -6559,6 +6692,8 @@ source.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 source.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -6586,6 +6721,8 @@ source.bytes:
   short: Bytes sent from the source to the destination.
   type: long
 source.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-domain
   description: Source domain.
   flat_name: source.domain
@@ -6654,6 +6791,8 @@ source.geo.location:
   short: Longitude and latitude.
   type: geo_point
 source.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6759,6 +6898,8 @@ source.port:
   short: Port of the source.
   type: long
 source.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-registered-domain
   description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -6823,6 +6964,8 @@ source.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 source.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-user-email
   description: User email address.
   flat_name: source.user.email
@@ -6833,6 +6976,8 @@ source.user.email:
   short: User email address.
   type: wildcard
 source.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -6910,6 +7055,8 @@ source.user.id:
   short: Unique identifier of the user.
   type: keyword
 source.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-user-name
   description: Short name or login of the user.
   example: albert
@@ -7188,6 +7335,8 @@ tls.client.hash.sha256:
     certificate offered by the client.
   type: keyword
 tls.client.issuer:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-issuer
   description: Distinguished name of subject of the issuer of the x.509 certificate
     presented by the client.
@@ -7246,6 +7395,8 @@ tls.client.server_name:
   short: Hostname the client is trying to connect to. Also called the SNI.
   type: keyword
 tls.client.subject:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-subject
   description: Distinguished name of subject of the x.509 certificate presented by
     the client.
@@ -7311,6 +7462,8 @@ tls.client.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.client.x509.issuer.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -7500,6 +7653,8 @@ tls.client.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.client.x509.subject.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -7690,6 +7845,8 @@ tls.server.hash.sha256:
     certificate offered by the server.
   type: keyword
 tls.server.issuer:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-issuer
   description: Subject of the issuer of the x.509 certificate presented by the server.
   example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
@@ -7733,6 +7890,8 @@ tls.server.not_before:
   short: Timestamp indicating when server certificate is first considered valid.
   type: date
 tls.server.subject:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-subject
   description: Subject of the x.509 certificate presented by the server.
   example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
@@ -7784,6 +7943,8 @@ tls.server.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.server.x509.issuer.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -7973,6 +8134,8 @@ tls.server.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.server.x509.subject.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -8097,6 +8260,8 @@ transaction.id:
   short: Unique identifier of the transaction within the scope of its trace.
   type: keyword
 url.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-domain
   description: 'Domain of the url, such as "www.elastic.co".
 
@@ -8145,6 +8310,8 @@ url.fragment:
   short: Portion of the url after the `#`.
   type: keyword
 url.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-full
   description: If full URLs are important to your use case, they should be stored
     in `url.full`, whether this field is reconstructed or present in the event source.
@@ -8161,6 +8328,8 @@ url.full:
   short: Full unparsed URL.
   type: wildcard
 url.original:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-original
   description: 'Unmodified original url as seen in the event source.
 
@@ -8191,6 +8360,8 @@ url.password:
   short: Password of the request.
   type: keyword
 url.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-path
   description: Path of the request, such as "/search".
   flat_name: url.path
@@ -8227,6 +8398,8 @@ url.query:
   short: Query string of the request.
   type: keyword
 url.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-registered-domain
   description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -8314,6 +8487,8 @@ user.changes.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.changes.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-changes-email
   description: User email address.
   flat_name: user.changes.email
@@ -8324,6 +8499,8 @@ user.changes.email:
   short: User email address.
   type: wildcard
 user.changes.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-changes-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8401,6 +8578,8 @@ user.changes.id:
   short: Unique identifier of the user.
   type: keyword
 user.changes.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-changes-name
   description: Short name or login of the user.
   example: albert
@@ -8455,6 +8634,8 @@ user.effective.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.effective.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-effective-email
   description: User email address.
   flat_name: user.effective.email
@@ -8465,6 +8646,8 @@ user.effective.email:
   short: User email address.
   type: wildcard
 user.effective.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-effective-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8542,6 +8725,8 @@ user.effective.id:
   short: Unique identifier of the user.
   type: keyword
 user.effective.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-effective-name
   description: Short name or login of the user.
   example: albert
@@ -8571,6 +8756,8 @@ user.effective.roles:
   short: Array of user roles at the time of the event.
   type: keyword
 user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-email
   description: User email address.
   flat_name: user.email
@@ -8580,6 +8767,8 @@ user.email:
   short: User email address.
   type: wildcard
 user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8654,6 +8843,8 @@ user.id:
   short: Unique identifier of the user.
   type: keyword
 user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-name
   description: Short name or login of the user.
   example: albert
@@ -8694,6 +8885,8 @@ user.target.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.target.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-target-email
   description: User email address.
   flat_name: user.target.email
@@ -8704,6 +8897,8 @@ user.target.email:
   short: User email address.
   type: wildcard
 user.target.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-target-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8781,6 +8976,8 @@ user.target.id:
   short: Unique identifier of the user.
   type: keyword
 user.target.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-target-name
   description: Short name or login of the user.
   example: albert
@@ -8832,6 +9029,8 @@ user_agent.name:
   short: Name of the user agent.
   type: keyword
 user_agent.original:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-agent-original
   description: Unparsed user_agent string.
   example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
@@ -8860,6 +9059,8 @@ user_agent.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 user_agent.os.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-agent-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
@@ -8888,6 +9089,8 @@ user_agent.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 user_agent.os.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-agent-os-name
   description: Operating system name, without the version.
   example: Mac OS X
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f6c475532c..6d1a832021 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -8,6 +8,8 @@ agent:
     event happened or the measurement was taken.'
   fields:
     agent.build.original:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: agent-build-original
       description: 'Extended build information for the agent.
 
@@ -118,6 +120,8 @@ as:
       short: Unique number allocated to the autonomous system.
       type: long
     as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: as-organization-name
       description: Organization name.
       example: Google LLC
@@ -273,6 +277,8 @@ client:
       short: Unique number allocated to the autonomous system.
       type: long
     client.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -300,6 +306,8 @@ client:
       short: Bytes sent from the client to the server.
       type: long
     client.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-domain
       description: Client domain.
       flat_name: client.domain
@@ -368,6 +376,8 @@ client:
       short: Longitude and latitude.
       type: geo_point
     client.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -473,6 +483,8 @@ client:
       short: Port of the client.
       type: long
     client.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-registered-domain
       description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -537,6 +549,8 @@ client:
       short: Name of the directory the user is a member of.
       type: keyword
     client.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-user-email
       description: User email address.
       flat_name: client.user.email
@@ -547,6 +561,8 @@ client:
       short: User email address.
       type: wildcard
     client.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -624,6 +640,8 @@ client:
       short: Unique identifier of the user.
       type: keyword
     client.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-user-name
       description: Short name or login of the user.
       example: albert
@@ -1004,6 +1022,8 @@ destination:
       short: Unique number allocated to the autonomous system.
       type: long
     destination.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -1031,6 +1051,8 @@ destination:
       short: Bytes sent from the destination to the source.
       type: long
     destination.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-domain
       description: Destination domain.
       flat_name: destination.domain
@@ -1099,6 +1121,8 @@ destination:
       short: Longitude and latitude.
       type: geo_point
     destination.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -1203,6 +1227,8 @@ destination:
       short: Port of the destination.
       type: long
     destination.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-registered-domain
       description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -1267,6 +1293,8 @@ destination:
       short: Name of the directory the user is a member of.
       type: keyword
     destination.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-user-email
       description: User email address.
       flat_name: destination.user.email
@@ -1277,6 +1305,8 @@ destination:
       short: User email address.
       type: wildcard
     destination.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -1354,6 +1384,8 @@ destination:
       short: Unique identifier of the user.
       type: keyword
     destination.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-user-name
       description: Short name or login of the user.
       example: albert
@@ -1617,6 +1649,8 @@ dll:
       short: A hash of the imports in a PE file.
       type: keyword
     dll.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -1698,6 +1732,8 @@ dns:
       short: The class of DNS data contained in this resource record.
       type: keyword
     dns.answers.data:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: dns-answers-data
       description: 'The data describing the resource.
 
@@ -1800,6 +1836,8 @@ dns:
       short: The class of records being queried.
       type: keyword
     dns.question.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: dns-question-name
       description: 'The name being queried.
 
@@ -1987,6 +2025,8 @@ error:
       short: Error message.
       type: text
     error.stack_trace:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: error-stack-trace
       description: The stack trace of this error in plain text.
       flat_name: error.stack_trace
@@ -2001,6 +2041,8 @@ error:
       short: The stack trace of this error in plain text.
       type: wildcard
     error.type:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: error-type
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
@@ -2449,7 +2491,8 @@ event:
       description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
         This field is not indexed and doc_values are disabled. It cannot be searched,
-        but it can be retrieved from `_source`.'
+        but it can be retrieved from `_source`. If users wish to override this and
+        index this field, consider using the wildcard data type.'
       doc_values: false
       example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
         worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
@@ -2937,6 +2980,8 @@ file:
       short: Device that is the source of the file.
       type: keyword
     file.directory:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-directory
       description: Directory where the file is located. It should include the drive
         letter, when appropriate.
@@ -3108,6 +3153,8 @@ file:
       short: File owner's username.
       type: keyword
     file.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-path
       description: Full path to the file, including the file name. It should include
         the drive letter, when appropriate.
@@ -3188,6 +3235,8 @@ file:
       short: A hash of the imports in a PE file.
       type: keyword
     file.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -3223,6 +3272,8 @@ file:
       short: File size in bytes.
       type: long
     file.target_path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-target-path
       description: Target path for symlinks.
       flat_name: file.target_path
@@ -3300,6 +3351,8 @@ file:
       short: List of country (C) codes
       type: keyword
     file.x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -3489,6 +3542,8 @@ file:
       short: List of country (C) code
       type: keyword
     file.x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -3648,6 +3703,8 @@ geo:
       short: Longitude and latitude.
       type: geo_point
     geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -3952,6 +4009,8 @@ host:
       short: Longitude and latitude.
       type: geo_point
     host.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -3993,6 +4052,8 @@ host:
       short: Region name.
       type: keyword
     host.hostname:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-hostname
       description: 'Hostname of the host.
 
@@ -4105,6 +4166,8 @@ host:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     host.os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -4133,6 +4196,8 @@ host:
       short: Operating system kernel version as a raw string.
       type: keyword
     host.os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -4230,6 +4295,8 @@ host:
       short: Name of the directory the user is a member of.
       type: keyword
     host.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-user-email
       description: User email address.
       flat_name: host.user.email
@@ -4240,6 +4307,8 @@ host:
       short: User email address.
       type: wildcard
     host.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -4317,6 +4386,8 @@ host:
       short: Unique identifier of the user.
       type: keyword
     host.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-user-name
       description: Short name or login of the user.
       example: albert
@@ -4381,6 +4452,8 @@ http:
       short: Size in bytes of the request body.
       type: long
     http.request.body.content:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: http-request-body-content
       description: The full HTTP request body.
       example: Hello world
@@ -4442,6 +4515,8 @@ http:
       short: Mime type of the body of the request.
       type: keyword
     http.request.referrer:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: http-request-referrer
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
@@ -4463,6 +4538,8 @@ http:
       short: Size in bytes of the response body.
       type: long
     http.response.body.content:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: http-response-body-content
       description: The full HTTP response body.
       example: Hello world
@@ -4600,6 +4677,8 @@ log:
     but rather in `event.*` or in other ECS fields.'
   fields:
     log.file.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: log-file-path
       description: 'Full path to the log file this event came from, including the
         file name. It should include the drive letter, when appropriate.
@@ -4630,6 +4709,8 @@ log:
       short: Log level of the log event.
       type: keyword
     log.logger:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: log-logger
       description: The name of the logger inside an application. This is usually the
         name of the class which initialized the logger, or can be a custom name.
@@ -5191,6 +5272,8 @@ observer:
       short: Longitude and latitude.
       type: geo_point
     observer.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: observer-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -5378,6 +5461,8 @@ observer:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     observer.os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: observer-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -5406,6 +5491,8 @@ observer:
       short: Operating system kernel version as a raw string.
       type: keyword
     observer.os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: observer-os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -5571,6 +5658,8 @@ organization:
       short: Unique identifier for the organization.
       type: keyword
     organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: organization-name
       description: Organization name.
       flat_name: organization.name
@@ -5605,6 +5694,8 @@ os:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -5631,6 +5722,8 @@ os:
       short: Operating system kernel version as a raw string.
       type: keyword
     os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -5930,6 +6023,8 @@ pe:
       short: A hash of the imports in a PE file.
       type: keyword
     pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -6073,6 +6168,8 @@ process:
         content.
       type: boolean
     process.command_line:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6110,6 +6207,8 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.executable:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
@@ -6182,6 +6281,8 @@ process:
       short: SHA512 hash.
       type: keyword
     process.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-name
       description: 'Process name.
 
@@ -6298,6 +6399,8 @@ process:
         content.
       type: boolean
     process.parent.command_line:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6337,6 +6440,8 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.parent.executable:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
@@ -6411,6 +6516,8 @@ process:
       short: SHA512 hash.
       type: keyword
     process.parent.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-name
       description: 'Process name.
 
@@ -6493,6 +6600,8 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.parent.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -6574,6 +6683,8 @@ process:
       short: Thread ID.
       type: long
     process.parent.thread.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-thread-name
       description: Thread name.
       example: thread-0
@@ -6585,6 +6696,8 @@ process:
       short: Thread name.
       type: wildcard
     process.parent.title:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-title
       description: 'Process title.
 
@@ -6614,6 +6727,8 @@ process:
       short: Seconds the process has been up.
       type: long
     process.parent.working_directory:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-working-directory
       description: The working directory of the process.
       example: /home/alice
@@ -6694,6 +6809,8 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -6770,6 +6887,8 @@ process:
       short: Thread ID.
       type: long
     process.thread.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-thread-name
       description: Thread name.
       example: thread-0
@@ -6780,6 +6899,8 @@ process:
       short: Thread name.
       type: wildcard
     process.title:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-title
       description: 'Process title.
 
@@ -6807,6 +6928,8 @@ process:
       short: Seconds the process has been up.
       type: long
     process.working_directory:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-working-directory
       description: The working directory of the process.
       example: /home/alice
@@ -6870,6 +6993,8 @@ registry:
       short: Original bytes written with base64 encoding.
       type: keyword
     registry.data.strings:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: registry-data-strings
       description: 'Content when writing string types.
 
@@ -6909,6 +7034,8 @@ registry:
       short: Abbreviated name for the hive.
       type: keyword
     registry.key:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: registry-key
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
@@ -6919,6 +7046,8 @@ registry:
       short: Hive-relative path of keys.
       type: wildcard
     registry.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: registry-path
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
@@ -7193,6 +7322,8 @@ server:
       short: Unique number allocated to the autonomous system.
       type: long
     server.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -7220,6 +7351,8 @@ server:
       short: Bytes sent from the server to the client.
       type: long
     server.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-domain
       description: Server domain.
       flat_name: server.domain
@@ -7288,6 +7421,8 @@ server:
       short: Longitude and latitude.
       type: geo_point
     server.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -7393,6 +7528,8 @@ server:
       short: Port of the server.
       type: long
     server.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-registered-domain
       description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -7457,6 +7594,8 @@ server:
       short: Name of the directory the user is a member of.
       type: keyword
     server.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-user-email
       description: User email address.
       flat_name: server.user.email
@@ -7467,6 +7606,8 @@ server:
       short: User email address.
       type: wildcard
     server.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -7544,6 +7685,8 @@ server:
       short: Unique identifier of the user.
       type: keyword
     server.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-user-name
       description: Short name or login of the user.
       example: albert
@@ -7756,6 +7899,8 @@ source:
       short: Unique number allocated to the autonomous system.
       type: long
     source.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -7783,6 +7928,8 @@ source:
       short: Bytes sent from the source to the destination.
       type: long
     source.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-domain
       description: Source domain.
       flat_name: source.domain
@@ -7851,6 +7998,8 @@ source:
       short: Longitude and latitude.
       type: geo_point
     source.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -7956,6 +8105,8 @@ source:
       short: Port of the source.
       type: long
     source.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-registered-domain
       description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -8020,6 +8171,8 @@ source:
       short: Name of the directory the user is a member of.
       type: keyword
     source.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-user-email
       description: User email address.
       flat_name: source.user.email
@@ -8030,6 +8183,8 @@ source:
       short: User email address.
       type: wildcard
     source.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -8107,6 +8262,8 @@ source:
       short: Unique identifier of the user.
       type: keyword
     source.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-user-name
       description: Short name or login of the user.
       example: albert
@@ -8399,6 +8556,8 @@ tls:
         of certificate offered by the client.
       type: keyword
     tls.client.issuer:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-issuer
       description: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
@@ -8459,6 +8618,8 @@ tls:
       short: Hostname the client is trying to connect to. Also called the SNI.
       type: keyword
     tls.client.subject:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-subject
       description: Distinguished name of subject of the x.509 certificate presented
         by the client.
@@ -8525,6 +8686,8 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.client.x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -8714,6 +8877,8 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.client.x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -8904,6 +9069,8 @@ tls:
         of certificate offered by the server.
       type: keyword
     tls.server.issuer:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-issuer
       description: Subject of the issuer of the x.509 certificate presented by the
         server.
@@ -8950,6 +9117,8 @@ tls:
       short: Timestamp indicating when server certificate is first considered valid.
       type: date
     tls.server.subject:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-subject
       description: Subject of the x.509 certificate presented by the server.
       example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
@@ -9001,6 +9170,8 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.server.x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -9190,6 +9361,8 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.server.x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -9365,6 +9538,8 @@ url:
     the breaking down into scheme, domain, path, and so on.
   fields:
     url.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-domain
       description: 'Domain of the url, such as "www.elastic.co".
 
@@ -9414,6 +9589,8 @@ url:
       short: Portion of the url after the `#`.
       type: keyword
     url.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-full
       description: If full URLs are important to your use case, they should be stored
         in `url.full`, whether this field is reconstructed or present in the event
@@ -9431,6 +9608,8 @@ url:
       short: Full unparsed URL.
       type: wildcard
     url.original:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-original
       description: 'Unmodified original url as seen in the event source.
 
@@ -9461,6 +9640,8 @@ url:
       short: Password of the request.
       type: keyword
     url.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-path
       description: Path of the request, such as "/search".
       flat_name: url.path
@@ -9497,6 +9678,8 @@ url:
       short: Query string of the request.
       type: keyword
     url.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-registered-domain
       description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -9597,6 +9780,8 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.changes.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-changes-email
       description: User email address.
       flat_name: user.changes.email
@@ -9607,6 +9792,8 @@ user:
       short: User email address.
       type: wildcard
     user.changes.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-changes-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -9684,6 +9871,8 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.changes.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-changes-name
       description: Short name or login of the user.
       example: albert
@@ -9738,6 +9927,8 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.effective.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-effective-email
       description: User email address.
       flat_name: user.effective.email
@@ -9748,6 +9939,8 @@ user:
       short: User email address.
       type: wildcard
     user.effective.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-effective-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -9825,6 +10018,8 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.effective.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-effective-name
       description: Short name or login of the user.
       example: albert
@@ -9854,6 +10049,8 @@ user:
       short: Array of user roles at the time of the event.
       type: keyword
     user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-email
       description: User email address.
       flat_name: user.email
@@ -9863,6 +10060,8 @@ user:
       short: User email address.
       type: wildcard
     user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -9937,6 +10136,8 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-name
       description: Short name or login of the user.
       example: albert
@@ -9977,6 +10178,8 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.target.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-target-email
       description: User email address.
       flat_name: user.target.email
@@ -9987,6 +10190,8 @@ user:
       short: User email address.
       type: wildcard
     user.target.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-target-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -10064,6 +10269,8 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.target.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-target-name
       description: Short name or login of the user.
       example: albert
@@ -10177,6 +10384,8 @@ user_agent:
       short: Name of the user agent.
       type: keyword
     user_agent.original:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-agent-original
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
@@ -10205,6 +10414,8 @@ user_agent:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     user_agent.os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-agent-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -10233,6 +10444,8 @@ user_agent:
       short: Operating system kernel version as a raw string.
       type: keyword
     user_agent.os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-agent-os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -10613,6 +10826,8 @@ x509:
       short: List of country (C) codes
       type: keyword
     x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -10787,6 +11002,8 @@ x509:
       short: List of country (C) code
       type: keyword
     x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml
deleted file mode 100644
index d09e77111d..0000000000
--- a/experimental/schemas/agent.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: agent
-  fields:
-    - name: build.original
-      type: wildcard
diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml
deleted file mode 100644
index 96cf45621c..0000000000
--- a/experimental/schemas/as.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: as
-  fields:
-    - name: organization.name
-      type: wildcard
diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml
deleted file mode 100644
index 14ed3a9a37..0000000000
--- a/experimental/schemas/client.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-  - name: client
-    fields:
-      - name: domain
-        type: wildcard
-      - name: registered_domain
-        type: wildcard
diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml
deleted file mode 100644
index d64a84c6be..0000000000
--- a/experimental/schemas/destination.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-  - name: destination
-    fields:
-      - name: domain
-        type: wildcard
-      - name: registered_domain
-        type: wildcard
diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml
deleted file mode 100644
index 466859c09f..0000000000
--- a/experimental/schemas/dns.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: dns
-  fields:
-    - name: question.name
-      type: wildcard
-    - name: answers
-      type: object
-    - name: answers.data
-      type: wildcard
diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml
deleted file mode 100644
index f2004d3fe0..0000000000
--- a/experimental/schemas/error.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: error
-  fields:
-    - name: stack_trace
-      index: true
-      type: wildcard
-
-    - name: type
-      type: wildcard
diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml
deleted file mode 100644
index f4938d38be..0000000000
--- a/experimental/schemas/file.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: file
-  fields:
-    - name: directory
-      type: wildcard
-    - name: path
-      type: wildcard
-    - name: target_path
-      type: wildcard
diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml
deleted file mode 100644
index d3445a5a2b..0000000000
--- a/experimental/schemas/geo.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-  - name: geo
-    fields:
-      - name: name
-        type: wildcard
diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml
index 1185d03e0b..eabc2f9af8 100644
--- a/experimental/schemas/host.yml
+++ b/experimental/schemas/host.yml
@@ -1,8 +1,5 @@
 - name: host
   fields:
-    - name: hostname
-      type: wildcard
-
     # RFC 0005
     - name: cpu.usage
       type: scaled_float
diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml
deleted file mode 100644
index 1722cdc5e7..0000000000
--- a/experimental/schemas/http.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: http
-  fields:
-    - name: request.body.content
-      type: wildcard
-    - name: request.referrer
-      type: wildcard
-    - name: response.body.content
-      type: wildcard
diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml
deleted file mode 100644
index 8a2f2dd397..0000000000
--- a/experimental/schemas/log.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: log
-  fields:
-    - name: file.path
-      type: wildcard
-    - name: logger
-      type: wildcard
diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml
deleted file mode 100644
index 594581413b..0000000000
--- a/experimental/schemas/organization.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: organization
-  fields:
-    - name: name
-      type: wildcard
diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml
deleted file mode 100644
index ec9d71a79c..0000000000
--- a/experimental/schemas/os.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: os
-  fields:
-    - name: name
-      type: wildcard
-    - name: full
-      type: wildcard
diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml
deleted file mode 100644
index 77a0574348..0000000000
--- a/experimental/schemas/pe.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: pe
-  fields:
-    - name: original_file_name
-      type: wildcard
diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml
deleted file mode 100644
index e759e97e86..0000000000
--- a/experimental/schemas/process.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- name: process
-  fields:
-    - name: command_line
-      type: wildcard
-    - name: executable
-      type: wildcard
-    - name: name
-      type: wildcard
-    - name: thread.name
-      type: wildcard
-    - name: title
-      type: wildcard
-    - name: working_directory
-      type: wildcard
diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml
deleted file mode 100644
index 66f6f6b22c..0000000000
--- a/experimental/schemas/registry.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: registry
-  fields:
-    - name: key
-      type: wildcard
-    - name: path
-      type: wildcard
-    - name: data.strings
-      type: wildcard
diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml
deleted file mode 100644
index 70c285f374..0000000000
--- a/experimental/schemas/server.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-  - name: server
-    fields:
-      - name: domain
-        type: wildcard
-      - name: registered_domain
-        type: wildcard
diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml
deleted file mode 100644
index d810a6cb79..0000000000
--- a/experimental/schemas/source.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: source
-  fields:
-    - name: domain
-      type: wildcard
-    - name: registered_domain
-      type: wildcard
diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml
deleted file mode 100644
index 4f5378a313..0000000000
--- a/experimental/schemas/tls.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-- name: tls
-  fields:
-    - name: client.issuer
-      type: wildcard
-    - name: client.subject
-      type: wildcard
-    - name: server.issuer
-      type: wildcard
-    - name: server.subject
-      type: wildcard
diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml
deleted file mode 100644
index 0d5f66c36a..0000000000
--- a/experimental/schemas/url.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- name: url
-  fields:
-    - name: original
-      type: wildcard
-    - name: full
-      type: wildcard
-    - name: path
-      type: wildcard
-    - name: domain
-      type: wildcard
-    - name: registered_domain
-      type: wildcard
diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml
deleted file mode 100644
index 89e182fbee..0000000000
--- a/experimental/schemas/user.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: user
-  fields:
-    - name: name
-      type: wildcard
-    - name: full_name
-      type: wildcard
-    - name: email
-      type: wildcard
diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml
deleted file mode 100644
index c413a9d702..0000000000
--- a/experimental/schemas/user_agent.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: user_agent
-  fields:
-    - name: original
-      type: wildcard
diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml
deleted file mode 100644
index d1c7d8af6b..0000000000
--- a/experimental/schemas/x509.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: x509
-  fields:
-    - name: issuer.distinguished_name
-      type: wildcard
-    - name: subject.distinguished_name
-      type: wildcard
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1caa603979..d7bb24c1bd 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -66,8 +66,7 @@
     fields:
     - name: build.original
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'Extended build information for the agent.
 
         This field is intended to contain any build information that a data source
@@ -136,8 +135,7 @@
       example: 15169
     - name: organization.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -183,8 +181,7 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -200,8 +197,7 @@
       example: 184
     - name: domain
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Client domain.
     - name: geo.city_name
       level: core
@@ -234,8 +230,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -292,8 +287,7 @@
       description: Port of the client.
     - name: registered_domain
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The highest registered client domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -337,13 +331,11 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
     - name: user.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -384,8 +376,7 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -605,8 +596,7 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -622,8 +612,7 @@
       example: 184
     - name: domain
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Destination domain.
     - name: geo.city_name
       level: core
@@ -656,8 +645,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -713,8 +701,7 @@
       description: Port of the destination.
     - name: registered_domain
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The highest registered destination domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -758,13 +745,11 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
     - name: user.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -805,8 +790,7 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -961,8 +945,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -1005,8 +988,7 @@
       example: IN
     - name: answers.data
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The data describing the resource.
 
         The meaning of this data depends on the type and class of the resource record.'
@@ -1065,8 +1047,7 @@
       example: IN
     - name: question.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The name being queried.
 
         If the name field contains non-printable characters (below 32 or above 126),
@@ -1185,19 +1166,16 @@
       description: Error message.
     - name: stack_trace
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
         norms: false
         default_field: false
       description: The stack trace of this error in plain text.
-      index: false
     - name: type
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
   - name: event
@@ -1356,7 +1334,8 @@
       description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
         This field is not indexed and doc_values are disabled. It cannot be searched,
-        but it can be retrieved from `_source`.'
+        but it can be retrieved from `_source`. If users wish to override this and
+        index this field, consider using the wildcard data type.'
       example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
         worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
       index: false
@@ -1585,8 +1564,7 @@
       example: sda
     - name: directory
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Directory where the file is located. It should include the drive
         letter, when appropriate.
       example: /home/alice
@@ -1680,8 +1658,7 @@
       example: alice
     - name: path
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -1731,8 +1708,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -1752,8 +1728,7 @@
       example: 16384
     - name: target_path
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -1797,8 +1772,7 @@
       default_field: false
     - name: x509.issuer.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -1904,8 +1878,7 @@
       default_field: false
     - name: x509.subject.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
@@ -1984,8 +1957,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -2118,8 +2090,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -2142,8 +2113,7 @@
       example: Quebec
     - name: hostname
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'Hostname of the host.
 
         It normally contains what the `hostname` command returns on the host machine.'
@@ -2182,8 +2152,7 @@
       example: debian
     - name: os.full
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2199,8 +2168,7 @@
       example: 4.4.0-112-generic
     - name: os.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2258,13 +2226,11 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
     - name: user.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2305,8 +2271,7 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2336,8 +2301,7 @@
       example: 887
     - name: request.body.content
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2379,8 +2343,7 @@
       default_field: false
     - name: request.referrer
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
     - name: response.body.bytes
@@ -2391,8 +2354,7 @@
       example: 887
     - name: response.body.content
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2478,8 +2440,7 @@
     fields:
     - name: file.path
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'Full path to the log file this event came from, including the
         file name. It should include the drive letter, when appropriate.
 
@@ -2500,8 +2461,7 @@
       example: error
     - name: logger
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: The name of the logger inside an application. This is usually the
         name of the class which initialized the logger, or can be a custom name.
       example: org.elasticsearch.bootstrap.Bootstrap
@@ -2847,8 +2807,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -2956,8 +2915,7 @@
       example: debian
     - name: os.full
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -2973,8 +2931,7 @@
       example: 4.4.0-112-generic
     - name: os.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3057,8 +3014,7 @@
       description: Unique identifier for the organization.
     - name: name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3079,8 +3035,7 @@
       example: debian
     - name: full
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3096,8 +3051,7 @@
       example: 4.4.0-112-generic
     - name: name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3277,8 +3231,7 @@
       default_field: false
     - name: original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3362,8 +3315,7 @@
       default_field: false
     - name: command_line
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3391,8 +3343,7 @@
       default_field: false
     - name: executable
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3431,8 +3382,7 @@
       description: SHA512 hash.
     - name: name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3506,8 +3456,7 @@
       default_field: false
     - name: parent.command_line
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3535,8 +3484,7 @@
       default_field: false
     - name: parent.executable
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3579,8 +3527,7 @@
       default_field: false
     - name: parent.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3631,8 +3578,7 @@
       default_field: false
     - name: parent.pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3678,15 +3624,13 @@
       default_field: false
     - name: parent.thread.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Thread name.
       example: thread-0
       default_field: false
     - name: parent.title
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3704,8 +3648,7 @@
       default_field: false
     - name: parent.working_directory
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3754,8 +3697,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3796,14 +3738,12 @@
       example: 4242
     - name: thread.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Thread name.
       example: thread-0
     - name: title
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3820,8 +3760,7 @@
       example: 1325
     - name: working_directory
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3848,8 +3787,7 @@
       default_field: false
     - name: data.strings
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'Content when writing string types.
 
         Populated as an array when writing string data to the registry. For single
@@ -3875,15 +3813,13 @@
       default_field: false
     - name: key
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
     - name: path
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
         Options\winword.exe\Debugger
@@ -4068,8 +4004,7 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -4085,8 +4020,7 @@
       example: 184
     - name: domain
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Server domain.
     - name: geo.city_name
       level: core
@@ -4119,8 +4053,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -4177,8 +4110,7 @@
       description: Port of the server.
     - name: registered_domain
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The highest registered server domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -4222,13 +4154,11 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
     - name: user.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -4269,8 +4199,7 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -4404,8 +4333,7 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -4421,8 +4349,7 @@
       example: 184
     - name: domain
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Source domain.
     - name: geo.city_name
       level: core
@@ -4455,8 +4382,7 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -4513,8 +4439,7 @@
       description: Port of the source.
     - name: registered_domain
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The highest registered source domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -4558,13 +4483,11 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
     - name: user.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -4605,8 +4528,7 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -4780,8 +4702,7 @@
       default_field: false
     - name: client.issuer
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
@@ -4819,8 +4740,7 @@
       default_field: false
     - name: client.subject
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name of subject of the x.509 certificate presented
         by the client.
       example: CN=myclient, OU=Documentation Team, DC=example, DC=com
@@ -4858,8 +4778,7 @@
       default_field: false
     - name: client.x509.issuer.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -4965,8 +4884,7 @@
       default_field: false
     - name: client.x509.subject.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
@@ -5079,8 +4997,7 @@
       default_field: false
     - name: server.issuer
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Subject of the issuer of the x.509 certificate presented by the
         server.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
@@ -5109,8 +5026,7 @@
       default_field: false
     - name: server.subject
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Subject of the x.509 certificate presented by the server.
       example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
@@ -5139,8 +5055,7 @@
       default_field: false
     - name: server.x509.issuer.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -5246,8 +5161,7 @@
       default_field: false
     - name: server.x509.subject.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
@@ -5336,8 +5250,7 @@
     fields:
     - name: domain
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'Domain of the url, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a domain
@@ -5371,8 +5284,7 @@
         The `#` is not part of the fragment.'
     - name: full
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5384,8 +5296,7 @@
       example: https://www.elastic.co:443/search?q=elasticsearch#top
     - name: original
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5405,8 +5316,7 @@
       description: Password of the request.
     - name: path
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Path of the request, such as "/search".
     - name: port
       level: extended
@@ -5427,8 +5337,7 @@
         the two cases.'
     - name: registered_domain
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: 'The highest registered url domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -5496,14 +5405,12 @@
       default_field: false
     - name: changes.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
       default_field: false
     - name: changes.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5549,8 +5456,7 @@
       default_field: false
     - name: changes.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5582,14 +5488,12 @@
       default_field: false
     - name: effective.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
       default_field: false
     - name: effective.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5635,8 +5539,7 @@
       default_field: false
     - name: effective.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5653,13 +5556,11 @@
       default_field: false
     - name: email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
     - name: full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5700,8 +5601,7 @@
       description: Unique identifier of the user.
     - name: name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5726,14 +5626,12 @@
       default_field: false
     - name: target.email
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: User email address.
       default_field: false
     - name: target.full_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5779,8 +5677,7 @@
       default_field: false
     - name: target.name
       level: core
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5817,8 +5714,7 @@
       example: Safari
     - name: original
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5834,8 +5730,7 @@
       example: debian
     - name: os.full
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -5851,8 +5746,7 @@
       example: 4.4.0-112-generic
     - name: os.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -6099,8 +5993,7 @@
       default_field: false
     - name: issuer.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -6206,8 +6099,7 @@
       default_field: false
     - name: subject.distinguished_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index cd996051dc..374aec3e21 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -3,7 +3,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
 1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
 1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
 1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
 1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
 1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
@@ -11,16 +11,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
 1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
 1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
 1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.8.0-dev,true,client,client.domain,keyword,core,,,Client domain.
+1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
 1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
 1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
 1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
 1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
 1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
@@ -29,19 +29,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
 1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
 1.8.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
 1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-1.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
@@ -62,16 +62,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
 1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
 1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
 1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.8.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
+1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
 1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
 1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
 1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
 1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
 1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
@@ -80,19 +80,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
 1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
 1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
 1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-1.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
@@ -111,11 +111,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
 1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
 1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
 1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
@@ -123,7 +123,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
 1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
 1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
 1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
 1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
 1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
@@ -135,9 +135,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
 1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
 1.8.0-dev,true,error,error.message,text,core,,,Error message.
-1.8.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
-1.8.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
 1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
 1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
 1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
@@ -173,7 +173,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,file,file.created,date,extended,,,File creation time.
 1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
 1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
@@ -188,24 +188,24 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
 1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
 1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
 1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
 1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
 1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
 1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
 1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
 1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
 1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
@@ -220,7 +220,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
 1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
 1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
 1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
 1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
 1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
@@ -236,19 +236,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
 1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
 1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
 1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
 1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
 1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
 1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
 1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
@@ -256,34 +256,34 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
 1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
 1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
-1.8.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.8.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
+1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
 1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
 1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
 1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
 1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
 1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.8.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
+1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
 1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
 1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
 1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
 1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
 1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
 1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
 1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
 1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
 1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
@@ -322,7 +322,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
 1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
 1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
 1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
@@ -337,10 +337,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
 1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
 1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
@@ -351,7 +351,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
 1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
 1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
 1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
 1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
 1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
@@ -373,17 +373,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
 1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
 1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
 1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
 1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
 1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
 1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -392,60 +392,60 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
 1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
 1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
 1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
 1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
 1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
 1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-1.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
 1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
 1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
 1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
 1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 1.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
 1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
 1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-1.8.0-dev,true,process,process.title,keyword,extended,,,Process title.
+1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
+1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title.
 1.8.0-dev,true,process,process.title.text,text,extended,,,Process title.
 1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
 1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
 1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.8.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
 1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
 1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
 1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
@@ -463,16 +463,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
 1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
 1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
 1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.8.0-dev,true,server,server.domain,keyword,core,,,Server domain.
+1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
 1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
 1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
 1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
 1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
 1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
@@ -481,19 +481,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
 1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
 1.8.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
 1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-1.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
@@ -505,16 +505,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
 1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
 1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
 1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.8.0-dev,true,source,source.domain,keyword,core,,,Source domain.
+1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
 1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
 1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
 1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
 1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
 1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
@@ -523,19 +523,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
 1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
 1.8.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
 1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-1.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
@@ -557,17 +557,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
 1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
 1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
 1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
 1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
 1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
 1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
 1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
 1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
 1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
 1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
 1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
@@ -582,7 +582,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
 1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
 1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
 1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
 1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
 1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
@@ -597,15 +597,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
 1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
 1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
 1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
 1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
 1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
 1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
 1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
 1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
 1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
@@ -620,7 +620,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
 1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
 1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
 1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
 1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
 1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
@@ -630,79 +630,79 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
 1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
 1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
 1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
 1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
 1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
 1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
 1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.8.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
+1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
 1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
 1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
 1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-1.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-1.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.email,keyword,extended,,,User email address.
-1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-1.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
+1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
 1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
+1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
 1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
 1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
 1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 90d2496342..0c6e8374cf 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -18,6 +18,8 @@
   short: Date/time when the event originated.
   type: date
 agent.build.original:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: agent-build-original
   description: 'Extended build information for the agent.
 
@@ -26,12 +28,11 @@ agent.build.original:
   example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
     built 2020-02-05 23:10:10 +0000 UTC]
   flat_name: agent.build.original
-  ignore_above: 1024
   level: core
   name: build.original
   normalize: []
   short: Extended build information for the agent.
-  type: keyword
+  type: wildcard
 agent.ephemeral_id:
   dashed_name: agent-ephemeral-id
   description: 'Ephemeral identifier of this agent (if one exists).
@@ -129,11 +130,12 @@ client.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 client.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: client.as.organization.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: client.as.organization.name.text
@@ -144,7 +146,7 @@ client.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: keyword
+  type: wildcard
 client.bytes:
   dashed_name: client-bytes
   description: Bytes sent from the client to the server.
@@ -157,15 +159,16 @@ client.bytes:
   short: Bytes sent from the client to the server.
   type: long
 client.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-domain
   description: Client domain.
   flat_name: client.domain
-  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Client domain.
-  type: keyword
+  type: wildcard
 client.geo.city_name:
   dashed_name: client-geo-city-name
   description: City name.
@@ -226,6 +229,8 @@ client.geo.location:
   short: Longitude and latitude.
   type: geo_point
 client.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -236,13 +241,12 @@ client.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: client.geo.name
-  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: keyword
+  type: wildcard
 client.geo.region_iso_code:
   dashed_name: client-geo-region-iso-code
   description: Region ISO code.
@@ -332,6 +336,8 @@ client.port:
   short: Port of the client.
   type: long
 client.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-registered-domain
   description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -342,12 +348,11 @@ client.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: client.registered_domain
-  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered client domain, stripped of the subdomain.
-  type: keyword
+  type: wildcard
 client.subdomain:
   dashed_name: client-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -397,22 +402,24 @@ client.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 client.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-user-email
   description: User email address.
   flat_name: client.user.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 client.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: client.user.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: client.user.full_name.text
@@ -423,7 +430,7 @@ client.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 client.user.group.domain:
   dashed_name: client-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -486,11 +493,12 @@ client.user.id:
   short: Unique identifier of the user.
   type: keyword
 client.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: client-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: client.user.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: client.user.name.text
@@ -501,7 +509,7 @@ client.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -725,11 +733,12 @@ destination.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 destination.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: destination.as.organization.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: destination.as.organization.name.text
@@ -740,7 +749,7 @@ destination.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: keyword
+  type: wildcard
 destination.bytes:
   dashed_name: destination-bytes
   description: Bytes sent from the destination to the source.
@@ -753,15 +762,16 @@ destination.bytes:
   short: Bytes sent from the destination to the source.
   type: long
 destination.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-domain
   description: Destination domain.
   flat_name: destination.domain
-  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Destination domain.
-  type: keyword
+  type: wildcard
 destination.geo.city_name:
   dashed_name: destination-geo-city-name
   description: City name.
@@ -822,6 +832,8 @@ destination.geo.location:
   short: Longitude and latitude.
   type: geo_point
 destination.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -832,13 +844,12 @@ destination.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: destination.geo.name
-  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: keyword
+  type: wildcard
 destination.geo.region_iso_code:
   dashed_name: destination-geo-region-iso-code
   description: Region ISO code.
@@ -927,6 +938,8 @@ destination.port:
   short: Port of the destination.
   type: long
 destination.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-registered-domain
   description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -937,12 +950,11 @@ destination.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: destination.registered_domain
-  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered destination domain, stripped of the subdomain.
-  type: keyword
+  type: wildcard
 destination.subdomain:
   dashed_name: destination-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -992,22 +1004,24 @@ destination.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 destination.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-user-email
   description: User email address.
   flat_name: destination.user.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 destination.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: destination.user.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: destination.user.full_name.text
@@ -1018,7 +1032,7 @@ destination.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 destination.user.group.domain:
   dashed_name: destination-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -1081,11 +1095,12 @@ destination.user.id:
   short: Unique identifier of the user.
   type: keyword
 destination.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: destination-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: destination.user.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: destination.user.name.text
@@ -1096,7 +1111,7 @@ destination.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -1311,17 +1326,18 @@ dll.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 dll.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: dll.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 dll.pe.product:
   dashed_name: dll-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -1365,18 +1381,19 @@ dns.answers.class:
   short: The class of DNS data contained in this resource record.
   type: keyword
 dns.answers.data:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: dns-answers-data
   description: 'The data describing the resource.
 
     The meaning of this data depends on the type and class of the resource record.'
   example: 10.10.10.10
   flat_name: dns.answers.data
-  ignore_above: 1024
   level: extended
   name: answers.data
   normalize: []
   short: The data describing the resource.
-  type: keyword
+  type: wildcard
 dns.answers.name:
   dashed_name: dns-answers-name
   description: 'The domain name to which this resource record pertains.
@@ -1466,6 +1483,8 @@ dns.question.class:
   short: The class of records being queried.
   type: keyword
 dns.question.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: dns-question-name
   description: 'The name being queried.
 
@@ -1475,12 +1494,11 @@ dns.question.name:
     converted to \t, \r, and \n respectively.'
   example: www.example.com
   flat_name: dns.question.name
-  ignore_above: 1024
   level: extended
   name: question.name
   normalize: []
   short: The name being queried.
-  type: keyword
+  type: wildcard
 dns.question.registered_domain:
   dashed_name: dns-question-registered-domain
   description: 'The highest registered domain, stripped of the subdomain.
@@ -1633,12 +1651,11 @@ error.message:
   short: Error message.
   type: text
 error.stack_trace:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: error-stack-trace
   description: The stack trace of this error in plain text.
-  doc_values: false
   flat_name: error.stack_trace
-  ignore_above: 1024
-  index: false
   level: extended
   multi_fields:
   - flat_name: error.stack_trace.text
@@ -1648,18 +1665,19 @@ error.stack_trace:
   name: stack_trace
   normalize: []
   short: The stack trace of this error in plain text.
-  type: keyword
+  type: wildcard
 error.type:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: error-type
   description: The type of the error, for example the class name of the exception.
   example: java.lang.NullPointerException
   flat_name: error.type
-  ignore_above: 1024
   level: extended
   name: type
   normalize: []
   short: The type of the error, for example the class name of the exception.
-  type: keyword
+  type: wildcard
 event.action:
   dashed_name: event-action
   description: 'The action captured by the event.
@@ -2073,7 +2091,8 @@ event.original:
   description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
     This field is not indexed and doc_values are disabled. It cannot be searched,
-    but it can be retrieved from `_source`.'
+    but it can be retrieved from `_source`. If users wish to override this and index
+    this field, consider using the wildcard data type.'
   doc_values: false
   example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
     worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
@@ -2536,17 +2555,18 @@ file.device:
   short: Device that is the source of the file.
   type: keyword
 file.directory:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-directory
   description: Directory where the file is located. It should include the drive letter,
     when appropriate.
   example: /home/alice
   flat_name: file.directory
-  ignore_above: 1024
   level: extended
   name: directory
   normalize: []
   short: Directory where the file is located.
-  type: keyword
+  type: wildcard
 file.drive_letter:
   dashed_name: file-drive-letter
   description: 'Drive letter where the file is located. This field is only relevant
@@ -2708,12 +2728,13 @@ file.owner:
   short: File owner's username.
   type: keyword
 file.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-path
   description: Full path to the file, including the file name. It should include the
     drive letter, when appropriate.
   example: /home/alice/example.png
   flat_name: file.path
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: file.path.text
@@ -2723,7 +2744,7 @@ file.path:
   name: path
   normalize: []
   short: Full path to the file, including the file name.
-  type: keyword
+  type: wildcard
 file.pe.architecture:
   dashed_name: file-pe-architecture
   description: CPU architecture target for the file.
@@ -2789,17 +2810,18 @@ file.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 file.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: file.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 file.pe.product:
   dashed_name: file-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -2825,10 +2847,11 @@ file.size:
   short: File size in bytes.
   type: long
 file.target_path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-target-path
   description: Target path for symlinks.
   flat_name: file.target_path
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: file.target_path.text
@@ -2838,7 +2861,7 @@ file.target_path:
   name: target_path
   normalize: []
   short: Target path for symlinks.
-  type: keyword
+  type: wildcard
 file.type:
   dashed_name: file-type
   description: File type (file, dir, or symlink).
@@ -2903,18 +2926,19 @@ file.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 file.x509.issuer.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
     Server CA
   flat_name: file.x509.issuer.distinguished_name
-  ignore_above: 1024
   level: extended
   name: issuer.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of issuing certificate authority.
-  type: keyword
+  type: wildcard
 file.x509.issuer.locality:
   dashed_name: file-x509-issuer-locality
   description: List of locality names (L)
@@ -3093,17 +3117,18 @@ file.x509.subject.country:
   short: List of country (C) code
   type: keyword
 file.x509.subject.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: file-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
   flat_name: file.x509.subject.distinguished_name
-  ignore_above: 1024
   level: extended
   name: subject.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of the certificate subject entity.
-  type: keyword
+  type: wildcard
 file.x509.subject.locality:
   dashed_name: file-x509-subject-locality
   description: List of locality names (L)
@@ -3284,6 +3309,8 @@ host.geo.location:
   short: Longitude and latitude.
   type: geo_point
 host.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -3294,13 +3321,12 @@ host.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: host.geo.name
-  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: keyword
+  type: wildcard
 host.geo.region_iso_code:
   dashed_name: host-geo-region-iso-code
   description: Region ISO code.
@@ -3326,17 +3352,18 @@ host.geo.region_name:
   short: Region name.
   type: keyword
 host.hostname:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-hostname
   description: 'Hostname of the host.
 
     It normally contains what the `hostname` command returns on the host machine.'
   flat_name: host.hostname
-  ignore_above: 1024
   level: core
   name: hostname
   normalize: []
   short: Hostname of the host.
-  type: keyword
+  type: wildcard
 host.id:
   dashed_name: host-id
   description: 'Unique host id.
@@ -3398,11 +3425,12 @@ host.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 host.os.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
   flat_name: host.os.full
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: host.os.full.text
@@ -3413,7 +3441,7 @@ host.os.full:
   normalize: []
   original_fieldset: os
   short: Operating system name, including the version or code name.
-  type: keyword
+  type: wildcard
 host.os.kernel:
   dashed_name: host-os-kernel
   description: Operating system kernel version as a raw string.
@@ -3427,11 +3455,12 @@ host.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 host.os.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-os-name
   description: Operating system name, without the version.
   example: Mac OS X
   flat_name: host.os.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: host.os.name.text
@@ -3442,7 +3471,7 @@ host.os.name:
   normalize: []
   original_fieldset: os
   short: Operating system name, without the version.
-  type: keyword
+  type: wildcard
 host.os.platform:
   dashed_name: host-os-platform
   description: Operating system platform (such centos, ubuntu, windows).
@@ -3523,22 +3552,24 @@ host.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 host.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-user-email
   description: User email address.
   flat_name: host.user.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 host.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: host.user.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: host.user.full_name.text
@@ -3549,7 +3580,7 @@ host.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 host.user.group.domain:
   dashed_name: host-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -3612,11 +3643,12 @@ host.user.id:
   short: Unique identifier of the user.
   type: keyword
 host.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: host-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: host.user.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: host.user.name.text
@@ -3627,7 +3659,7 @@ host.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 host.user.roles:
   dashed_name: host-user-roles
   description: Array of user roles at the time of the event.
@@ -3653,11 +3685,12 @@ http.request.body.bytes:
   short: Size in bytes of the request body.
   type: long
 http.request.body.content:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: http-request-body-content
   description: The full HTTP request body.
   example: Hello world
   flat_name: http.request.body.content
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: http.request.body.content.text
@@ -3667,7 +3700,7 @@ http.request.body.content:
   name: request.body.content
   normalize: []
   short: The full HTTP request body.
-  type: keyword
+  type: wildcard
 http.request.bytes:
   dashed_name: http-request-bytes
   description: Total size in bytes of the request (body and headers).
@@ -3713,16 +3746,17 @@ http.request.mime_type:
   short: Mime type of the body of the request.
   type: keyword
 http.request.referrer:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: http-request-referrer
   description: Referrer for this HTTP request.
   example: https://blog.example.com/
   flat_name: http.request.referrer
-  ignore_above: 1024
   level: extended
   name: request.referrer
   normalize: []
   short: Referrer for this HTTP request.
-  type: keyword
+  type: wildcard
 http.response.body.bytes:
   dashed_name: http-response-body-bytes
   description: Size in bytes of the response body.
@@ -3735,11 +3769,12 @@ http.response.body.bytes:
   short: Size in bytes of the response body.
   type: long
 http.response.body.content:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: http-response-body-content
   description: The full HTTP response body.
   example: Hello world
   flat_name: http.response.body.content
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: http.response.body.content.text
@@ -3749,7 +3784,7 @@ http.response.body.content:
   name: response.body.content
   normalize: []
   short: The full HTTP response body.
-  type: keyword
+  type: wildcard
 http.response.bytes:
   dashed_name: http-response-bytes
   description: Total size in bytes of the response (body and headers).
@@ -3815,6 +3850,8 @@ labels:
   short: Custom key/value pairs.
   type: object
 log.file.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: log-file-path
   description: 'Full path to the log file this event came from, including the file
     name. It should include the drive letter, when appropriate.
@@ -3822,12 +3859,11 @@ log.file.path:
     If the event wasn''t read from a log file, do not populate this field.'
   example: /var/log/fun-times.log
   flat_name: log.file.path
-  ignore_above: 1024
   level: extended
   name: file.path
   normalize: []
   short: Full path to the log file this event came from.
-  type: keyword
+  type: wildcard
 log.level:
   dashed_name: log-level
   description: 'Original log level of the log event.
@@ -3846,17 +3882,18 @@ log.level:
   short: Log level of the log event.
   type: keyword
 log.logger:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: log-logger
   description: The name of the logger inside an application. This is usually the name
     of the class which initialized the logger, or can be a custom name.
   example: org.elasticsearch.bootstrap.Bootstrap
   flat_name: log.logger
-  ignore_above: 1024
   level: core
   name: logger
   normalize: []
   short: Name of the logger.
-  type: keyword
+  type: wildcard
 log.origin.file.line:
   dashed_name: log-origin-file-line
   description: The line number of the file containing the source code which originated
@@ -4377,6 +4414,8 @@ observer.geo.location:
   short: Longitude and latitude.
   type: geo_point
 observer.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: observer-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -4387,13 +4426,12 @@ observer.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: observer.geo.name
-  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: keyword
+  type: wildcard
 observer.geo.region_iso_code:
   dashed_name: observer-geo-region-iso-code
   description: Region ISO code.
@@ -4564,11 +4602,12 @@ observer.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 observer.os.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: observer-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
   flat_name: observer.os.full
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: observer.os.full.text
@@ -4579,7 +4618,7 @@ observer.os.full:
   normalize: []
   original_fieldset: os
   short: Operating system name, including the version or code name.
-  type: keyword
+  type: wildcard
 observer.os.kernel:
   dashed_name: observer-os-kernel
   description: Operating system kernel version as a raw string.
@@ -4593,11 +4632,12 @@ observer.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 observer.os.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: observer-os-name
   description: Operating system name, without the version.
   example: Mac OS X
   flat_name: observer.os.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: observer.os.name.text
@@ -4608,7 +4648,7 @@ observer.os.name:
   normalize: []
   original_fieldset: os
   short: Operating system name, without the version.
-  type: keyword
+  type: wildcard
 observer.os.platform:
   dashed_name: observer-os-platform
   description: Operating system platform (such centos, ubuntu, windows).
@@ -4719,10 +4759,11 @@ organization.id:
   short: Unique identifier for the organization.
   type: keyword
 organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: organization-name
   description: Organization name.
   flat_name: organization.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: organization.name.text
@@ -4732,7 +4773,7 @@ organization.name:
   name: name
   normalize: []
   short: Organization name.
-  type: keyword
+  type: wildcard
 package.architecture:
   dashed_name: package-architecture
   description: Package architecture.
@@ -4980,6 +5021,8 @@ process.code_signature.valid:
     content.
   type: boolean
 process.command_line:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -4987,7 +5030,6 @@ process.command_line:
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
   flat_name: process.command_line
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.command_line.text
@@ -4997,7 +5039,7 @@ process.command_line:
   name: command_line
   normalize: []
   short: Full command line that started the process.
-  type: keyword
+  type: wildcard
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -5018,11 +5060,12 @@ process.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.executable:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
   flat_name: process.executable
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.executable.text
@@ -5032,7 +5075,7 @@ process.executable:
   name: executable
   normalize: []
   short: Absolute path to the process executable.
-  type: keyword
+  type: wildcard
 process.exit_code:
   dashed_name: process-exit-code
   description: 'The exit code of the process, if this is a termination event.
@@ -5091,13 +5134,14 @@ process.hash.sha512:
   short: SHA512 hash.
   type: keyword
 process.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
   flat_name: process.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.name.text
@@ -5107,7 +5151,7 @@ process.name:
   name: name
   normalize: []
   short: Process name.
-  type: keyword
+  type: wildcard
 process.parent.args:
   dashed_name: process-parent-args
   description: 'Array of process arguments, starting with the absolute path to the
@@ -5208,6 +5252,8 @@ process.parent.code_signature.valid:
     content.
   type: boolean
 process.parent.command_line:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5215,7 +5261,6 @@ process.parent.command_line:
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
   flat_name: process.parent.command_line
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.command_line.text
@@ -5226,7 +5271,7 @@ process.parent.command_line:
   normalize: []
   original_fieldset: process
   short: Full command line that started the process.
-  type: keyword
+  type: wildcard
 process.parent.entity_id:
   dashed_name: process-parent-entity-id
   description: 'Unique identifier for the process.
@@ -5248,11 +5293,12 @@ process.parent.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.parent.executable:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
   flat_name: process.parent.executable
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.executable.text
@@ -5263,7 +5309,7 @@ process.parent.executable:
   normalize: []
   original_fieldset: process
   short: Absolute path to the process executable.
-  type: keyword
+  type: wildcard
 process.parent.exit_code:
   dashed_name: process-parent-exit-code
   description: 'The exit code of the process, if this is a termination event.
@@ -5323,13 +5369,14 @@ process.parent.hash.sha512:
   short: SHA512 hash.
   type: keyword
 process.parent.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
   flat_name: process.parent.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.name.text
@@ -5340,7 +5387,7 @@ process.parent.name:
   normalize: []
   original_fieldset: process
   short: Process name.
-  type: keyword
+  type: wildcard
 process.parent.pe.architecture:
   dashed_name: process-parent-pe-architecture
   description: CPU architecture target for the file.
@@ -5406,17 +5453,18 @@ process.parent.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.parent.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: process.parent.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 process.parent.pe.product:
   dashed_name: process-parent-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5488,25 +5536,27 @@ process.parent.thread.id:
   short: Thread ID.
   type: long
 process.parent.thread.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-thread-name
   description: Thread name.
   example: thread-0
   flat_name: process.parent.thread.name
-  ignore_above: 1024
   level: extended
   name: thread.name
   normalize: []
   original_fieldset: process
   short: Thread name.
-  type: keyword
+  type: wildcard
 process.parent.title:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-title
   description: 'Process title.
 
     The proctitle, some times the same as process name. Can also be different: for
     example a browser setting its title to the web page currently opened.'
   flat_name: process.parent.title
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.title.text
@@ -5517,7 +5567,7 @@ process.parent.title:
   normalize: []
   original_fieldset: process
   short: Process title.
-  type: keyword
+  type: wildcard
 process.parent.uptime:
   dashed_name: process-parent-uptime
   description: Seconds the process has been up.
@@ -5530,11 +5580,12 @@ process.parent.uptime:
   short: Seconds the process has been up.
   type: long
 process.parent.working_directory:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-parent-working-directory
   description: The working directory of the process.
   example: /home/alice
   flat_name: process.parent.working_directory
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.working_directory.text
@@ -5545,7 +5596,7 @@ process.parent.working_directory:
   normalize: []
   original_fieldset: process
   short: The working directory of the process.
-  type: keyword
+  type: wildcard
 process.pe.architecture:
   dashed_name: process-pe-architecture
   description: CPU architecture target for the file.
@@ -5611,17 +5662,18 @@ process.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.pe.original_file_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: process.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 process.pe.product:
   dashed_name: process-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5688,24 +5740,26 @@ process.thread.id:
   short: Thread ID.
   type: long
 process.thread.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-thread-name
   description: Thread name.
   example: thread-0
   flat_name: process.thread.name
-  ignore_above: 1024
   level: extended
   name: thread.name
   normalize: []
   short: Thread name.
-  type: keyword
+  type: wildcard
 process.title:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-title
   description: 'Process title.
 
     The proctitle, some times the same as process name. Can also be different: for
     example a browser setting its title to the web page currently opened.'
   flat_name: process.title
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.title.text
@@ -5715,7 +5769,7 @@ process.title:
   name: title
   normalize: []
   short: Process title.
-  type: keyword
+  type: wildcard
 process.uptime:
   dashed_name: process-uptime
   description: Seconds the process has been up.
@@ -5727,11 +5781,12 @@ process.uptime:
   short: Seconds the process has been up.
   type: long
 process.working_directory:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: process-working-directory
   description: The working directory of the process.
   example: /home/alice
   flat_name: process.working_directory
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.working_directory.text
@@ -5741,7 +5796,7 @@ process.working_directory:
   name: working_directory
   normalize: []
   short: The working directory of the process.
-  type: keyword
+  type: wildcard
 registry.data.bytes:
   dashed_name: registry-data-bytes
   description: 'Original bytes written with base64 encoding.
@@ -5758,6 +5813,8 @@ registry.data.bytes:
   short: Original bytes written with base64 encoding.
   type: keyword
 registry.data.strings:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: registry-data-strings
   description: 'Content when writing string types.
 
@@ -5768,13 +5825,12 @@ registry.data.strings:
     the decimal representation (e.g `"1"`).'
   example: '["C:\rta\red_ttp\bin\myapp.exe"]'
   flat_name: registry.data.strings
-  ignore_above: 1024
   level: core
   name: data.strings
   normalize:
   - array
   short: List of strings representing what was written to the registry.
-  type: keyword
+  type: wildcard
 registry.data.type:
   dashed_name: registry-data-type
   description: Standard registry type for encoding contents
@@ -5798,28 +5854,30 @@ registry.hive:
   short: Abbreviated name for the hive.
   type: keyword
 registry.key:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: registry-key
   description: Hive-relative path of keys.
   example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
   flat_name: registry.key
-  ignore_above: 1024
   level: core
   name: key
   normalize: []
   short: Hive-relative path of keys.
-  type: keyword
+  type: wildcard
 registry.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: registry-path
   description: Full path, including hive, key and value
   example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
     Options\winword.exe\Debugger
   flat_name: registry.path
-  ignore_above: 1024
   level: core
   name: path
   normalize: []
   short: Full path, including hive, key and value
-  type: keyword
+  type: wildcard
 registry.value:
   dashed_name: registry-value
   description: Name of the value written.
@@ -6027,11 +6085,12 @@ server.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 server.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: server.as.organization.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: server.as.organization.name.text
@@ -6042,7 +6101,7 @@ server.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: keyword
+  type: wildcard
 server.bytes:
   dashed_name: server-bytes
   description: Bytes sent from the server to the client.
@@ -6055,15 +6114,16 @@ server.bytes:
   short: Bytes sent from the server to the client.
   type: long
 server.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-domain
   description: Server domain.
   flat_name: server.domain
-  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Server domain.
-  type: keyword
+  type: wildcard
 server.geo.city_name:
   dashed_name: server-geo-city-name
   description: City name.
@@ -6124,6 +6184,8 @@ server.geo.location:
   short: Longitude and latitude.
   type: geo_point
 server.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6134,13 +6196,12 @@ server.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: server.geo.name
-  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: keyword
+  type: wildcard
 server.geo.region_iso_code:
   dashed_name: server-geo-region-iso-code
   description: Region ISO code.
@@ -6230,6 +6291,8 @@ server.port:
   short: Port of the server.
   type: long
 server.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-registered-domain
   description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -6240,12 +6303,11 @@ server.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: server.registered_domain
-  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered server domain, stripped of the subdomain.
-  type: keyword
+  type: wildcard
 server.subdomain:
   dashed_name: server-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -6295,22 +6357,24 @@ server.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 server.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-user-email
   description: User email address.
   flat_name: server.user.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 server.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: server.user.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: server.user.full_name.text
@@ -6321,7 +6385,7 @@ server.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 server.user.group.domain:
   dashed_name: server-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -6384,11 +6448,12 @@ server.user.id:
   short: Unique identifier of the user.
   type: keyword
 server.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: server-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: server.user.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: server.user.name.text
@@ -6399,7 +6464,7 @@ server.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -6553,11 +6618,12 @@ source.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 source.as.organization.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: source.as.organization.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: source.as.organization.name.text
@@ -6568,7 +6634,7 @@ source.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: keyword
+  type: wildcard
 source.bytes:
   dashed_name: source-bytes
   description: Bytes sent from the source to the destination.
@@ -6581,15 +6647,16 @@ source.bytes:
   short: Bytes sent from the source to the destination.
   type: long
 source.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-domain
   description: Source domain.
   flat_name: source.domain
-  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Source domain.
-  type: keyword
+  type: wildcard
 source.geo.city_name:
   dashed_name: source-geo-city-name
   description: City name.
@@ -6650,6 +6717,8 @@ source.geo.location:
   short: Longitude and latitude.
   type: geo_point
 source.geo.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6660,13 +6729,12 @@ source.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: source.geo.name
-  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: keyword
+  type: wildcard
 source.geo.region_iso_code:
   dashed_name: source-geo-region-iso-code
   description: Region ISO code.
@@ -6756,6 +6824,8 @@ source.port:
   short: Port of the source.
   type: long
 source.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-registered-domain
   description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -6766,12 +6836,11 @@ source.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: source.registered_domain
-  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
+  type: wildcard
 source.subdomain:
   dashed_name: source-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -6821,22 +6890,24 @@ source.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 source.user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-user-email
   description: User email address.
   flat_name: source.user.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 source.user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: source.user.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: source.user.full_name.text
@@ -6847,7 +6918,7 @@ source.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 source.user.group.domain:
   dashed_name: source-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -6910,11 +6981,12 @@ source.user.id:
   short: Unique identifier of the user.
   type: keyword
 source.user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: source-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: source.user.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: source.user.name.text
@@ -6925,7 +6997,7 @@ source.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -7189,18 +7261,19 @@ tls.client.hash.sha256:
     certificate offered by the client.
   type: keyword
 tls.client.issuer:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-issuer
   description: Distinguished name of subject of the issuer of the x.509 certificate
     presented by the client.
   example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
   flat_name: tls.client.issuer
-  ignore_above: 1024
   level: extended
   name: client.issuer
   normalize: []
   short: Distinguished name of subject of the issuer of the x.509 certificate presented
     by the client.
-  type: keyword
+  type: wildcard
 tls.client.ja3:
   dashed_name: tls-client-ja3
   description: A hash that identifies clients based on how they perform an SSL/TLS
@@ -7248,17 +7321,18 @@ tls.client.server_name:
   short: Hostname the client is trying to connect to. Also called the SNI.
   type: keyword
 tls.client.subject:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-subject
   description: Distinguished name of subject of the x.509 certificate presented by
     the client.
   example: CN=myclient, OU=Documentation Team, DC=example, DC=com
   flat_name: tls.client.subject
-  ignore_above: 1024
   level: extended
   name: client.subject
   normalize: []
   short: Distinguished name of subject of the x.509 certificate presented by the client.
-  type: keyword
+  type: wildcard
 tls.client.supported_ciphers:
   dashed_name: tls-client-supported-ciphers
   description: Array of ciphers offered by the client during the client hello.
@@ -7314,18 +7388,19 @@ tls.client.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.client.x509.issuer.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
     Server CA
   flat_name: tls.client.x509.issuer.distinguished_name
-  ignore_above: 1024
   level: extended
   name: issuer.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of issuing certificate authority.
-  type: keyword
+  type: wildcard
 tls.client.x509.issuer.locality:
   dashed_name: tls-client-x509-issuer-locality
   description: List of locality names (L)
@@ -7504,17 +7579,18 @@ tls.client.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.client.x509.subject.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-client-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
   flat_name: tls.client.x509.subject.distinguished_name
-  ignore_above: 1024
   level: extended
   name: subject.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of the certificate subject entity.
-  type: keyword
+  type: wildcard
 tls.client.x509.subject.locality:
   dashed_name: tls-client-x509-subject-locality
   description: List of locality names (L)
@@ -7695,16 +7771,17 @@ tls.server.hash.sha256:
     certificate offered by the server.
   type: keyword
 tls.server.issuer:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-issuer
   description: Subject of the issuer of the x.509 certificate presented by the server.
   example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
   flat_name: tls.server.issuer
-  ignore_above: 1024
   level: extended
   name: server.issuer
   normalize: []
   short: Subject of the issuer of the x.509 certificate presented by the server.
-  type: keyword
+  type: wildcard
 tls.server.ja3s:
   dashed_name: tls-server-ja3s
   description: A hash that identifies servers based on how they perform an SSL/TLS
@@ -7739,16 +7816,17 @@ tls.server.not_before:
   short: Timestamp indicating when server certificate is first considered valid.
   type: date
 tls.server.subject:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-subject
   description: Subject of the x.509 certificate presented by the server.
   example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
   flat_name: tls.server.subject
-  ignore_above: 1024
   level: extended
   name: server.subject
   normalize: []
   short: Subject of the x.509 certificate presented by the server.
-  type: keyword
+  type: wildcard
 tls.server.x509.alternative_names:
   dashed_name: tls-server-x509-alternative-names
   description: List of subject alternative names (SAN). Name types vary by certificate
@@ -7791,18 +7869,19 @@ tls.server.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.server.x509.issuer.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
     Server CA
   flat_name: tls.server.x509.issuer.distinguished_name
-  ignore_above: 1024
   level: extended
   name: issuer.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of issuing certificate authority.
-  type: keyword
+  type: wildcard
 tls.server.x509.issuer.locality:
   dashed_name: tls-server-x509-issuer-locality
   description: List of locality names (L)
@@ -7981,17 +8060,18 @@ tls.server.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.server.x509.subject.distinguished_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: tls-server-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
   flat_name: tls.server.x509.subject.distinguished_name
-  ignore_above: 1024
   level: extended
   name: subject.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of the certificate subject entity.
-  type: keyword
+  type: wildcard
 tls.server.x509.subject.locality:
   dashed_name: tls-server-x509-subject-locality
   description: List of locality names (L)
@@ -8106,6 +8186,8 @@ transaction.id:
   short: Unique identifier of the transaction within the scope of its trace.
   type: keyword
 url.domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-domain
   description: 'Domain of the url, such as "www.elastic.co".
 
@@ -8116,12 +8198,11 @@ url.domain:
     the `[` and `]` characters should also be captured in the `domain` field.'
   example: www.elastic.co
   flat_name: url.domain
-  ignore_above: 1024
   level: extended
   name: domain
   normalize: []
   short: Domain of the url.
-  type: keyword
+  type: wildcard
 url.extension:
   dashed_name: url-extension
   description: 'The field contains the file extension from the original request url,
@@ -8155,12 +8236,13 @@ url.fragment:
   short: Portion of the url after the `#`.
   type: keyword
 url.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-full
   description: If full URLs are important to your use case, they should be stored
     in `url.full`, whether this field is reconstructed or present in the event source.
   example: https://www.elastic.co:443/search?q=elasticsearch#top
   flat_name: url.full
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: url.full.text
@@ -8170,8 +8252,10 @@ url.full:
   name: full
   normalize: []
   short: Full unparsed URL.
-  type: keyword
+  type: wildcard
 url.original:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-original
   description: 'Unmodified original url as seen in the event source.
 
@@ -8181,7 +8265,6 @@ url.original:
     This field is meant to represent the URL as it was observed, complete or not.'
   example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
   flat_name: url.original
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: url.original.text
@@ -8191,7 +8274,7 @@ url.original:
   name: original
   normalize: []
   short: Unmodified original url as seen in the event source.
-  type: keyword
+  type: wildcard
 url.password:
   dashed_name: url-password
   description: Password of the request.
@@ -8203,15 +8286,16 @@ url.password:
   short: Password of the request.
   type: keyword
 url.path:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-path
   description: Path of the request, such as "/search".
   flat_name: url.path
-  ignore_above: 1024
   level: extended
   name: path
   normalize: []
   short: Path of the request, such as "/search".
-  type: keyword
+  type: wildcard
 url.port:
   dashed_name: url-port
   description: Port of the request, such as 443.
@@ -8240,6 +8324,8 @@ url.query:
   short: Query string of the request.
   type: keyword
 url.registered_domain:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: url-registered-domain
   description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -8250,12 +8336,11 @@ url.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: url.registered_domain
-  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered url domain, stripped of the subdomain.
-  type: keyword
+  type: wildcard
 url.scheme:
   dashed_name: url-scheme
   description: 'Scheme of the request, such as "https".
@@ -8328,22 +8413,24 @@ user.changes.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.changes.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-changes-email
   description: User email address.
   flat_name: user.changes.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 user.changes.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-changes-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.changes.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.changes.full_name.text
@@ -8354,7 +8441,7 @@ user.changes.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 user.changes.group.domain:
   dashed_name: user-changes-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8417,11 +8504,12 @@ user.changes.id:
   short: Unique identifier of the user.
   type: keyword
 user.changes.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-changes-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.changes.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.changes.name.text
@@ -8432,7 +8520,7 @@ user.changes.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -8472,22 +8560,24 @@ user.effective.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.effective.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-effective-email
   description: User email address.
   flat_name: user.effective.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 user.effective.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-effective-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.effective.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.effective.full_name.text
@@ -8498,7 +8588,7 @@ user.effective.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 user.effective.group.domain:
   dashed_name: user-effective-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8561,11 +8651,12 @@ user.effective.id:
   short: Unique identifier of the user.
   type: keyword
 user.effective.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-effective-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.effective.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.effective.name.text
@@ -8576,7 +8667,7 @@ user.effective.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -8591,21 +8682,23 @@ user.effective.roles:
   short: Array of user roles at the time of the event.
   type: keyword
 user.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-email
   description: User email address.
   flat_name: user.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   short: User email address.
-  type: keyword
+  type: wildcard
 user.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.full_name.text
@@ -8615,7 +8708,7 @@ user.full_name:
   name: full_name
   normalize: []
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 user.group.domain:
   dashed_name: user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8676,11 +8769,12 @@ user.id:
   short: Unique identifier of the user.
   type: keyword
 user.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.name.text
@@ -8690,7 +8784,7 @@ user.name:
   name: name
   normalize: []
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 user.roles:
   dashed_name: user-roles
   description: Array of user roles at the time of the event.
@@ -8717,22 +8811,24 @@ user.target.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.target.email:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-target-email
   description: User email address.
   flat_name: user.target.email
-  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: keyword
+  type: wildcard
 user.target.full_name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-target-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.target.full_name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.target.full_name.text
@@ -8743,7 +8839,7 @@ user.target.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: keyword
+  type: wildcard
 user.target.group.domain:
   dashed_name: user-target-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8806,11 +8902,12 @@ user.target.id:
   short: Unique identifier of the user.
   type: keyword
 user.target.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-target-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.target.name
-  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.target.name.text
@@ -8821,7 +8918,7 @@ user.target.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: keyword
+  type: wildcard
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
@@ -8858,12 +8955,13 @@ user_agent.name:
   short: Name of the user agent.
   type: keyword
 user_agent.original:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-agent-original
   description: Unparsed user_agent string.
   example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
     (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
   flat_name: user_agent.original
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user_agent.original.text
@@ -8873,7 +8971,7 @@ user_agent.original:
   name: original
   normalize: []
   short: Unparsed user_agent string.
-  type: keyword
+  type: wildcard
 user_agent.os.family:
   dashed_name: user-agent-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
@@ -8887,11 +8985,12 @@ user_agent.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 user_agent.os.full:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-agent-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
   flat_name: user_agent.os.full
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user_agent.os.full.text
@@ -8902,7 +9001,7 @@ user_agent.os.full:
   normalize: []
   original_fieldset: os
   short: Operating system name, including the version or code name.
-  type: keyword
+  type: wildcard
 user_agent.os.kernel:
   dashed_name: user-agent-os-kernel
   description: Operating system kernel version as a raw string.
@@ -8916,11 +9015,12 @@ user_agent.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 user_agent.os.name:
+  beta: Note the usage of `wildcard` type is considered beta. This field used to be
+    type `keyword`.
   dashed_name: user-agent-os-name
   description: Operating system name, without the version.
   example: Mac OS X
   flat_name: user_agent.os.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user_agent.os.name.text
@@ -8931,7 +9031,7 @@ user_agent.os.name:
   normalize: []
   original_fieldset: os
   short: Operating system name, without the version.
-  type: keyword
+  type: wildcard
 user_agent.os.platform:
   dashed_name: user-agent-os-platform
   description: Operating system platform (such centos, ubuntu, windows).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index eaa283a9a0..50c4915485 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -8,6 +8,8 @@ agent:
     event happened or the measurement was taken.'
   fields:
     agent.build.original:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: agent-build-original
       description: 'Extended build information for the agent.
 
@@ -16,12 +18,11 @@ agent:
       example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
         built 2020-02-05 23:10:10 +0000 UTC]
       flat_name: agent.build.original
-      ignore_above: 1024
       level: core
       name: build.original
       normalize: []
       short: Extended build information for the agent.
-      type: keyword
+      type: wildcard
     agent.ephemeral_id:
       dashed_name: agent-ephemeral-id
       description: 'Ephemeral identifier of this agent (if one exists).
@@ -119,11 +120,12 @@ as:
       short: Unique number allocated to the autonomous system.
       type: long
     as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: as.organization.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: as.organization.name.text
@@ -133,7 +135,7 @@ as:
       name: organization.name
       normalize: []
       short: Organization name.
-      type: keyword
+      type: wildcard
   group: 2
   name: as
   prefix: as.
@@ -275,11 +277,12 @@ client:
       short: Unique number allocated to the autonomous system.
       type: long
     client.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: client.as.organization.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: client.as.organization.name.text
@@ -290,7 +293,7 @@ client:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: keyword
+      type: wildcard
     client.bytes:
       dashed_name: client-bytes
       description: Bytes sent from the client to the server.
@@ -303,15 +306,16 @@ client:
       short: Bytes sent from the client to the server.
       type: long
     client.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-domain
       description: Client domain.
       flat_name: client.domain
-      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Client domain.
-      type: keyword
+      type: wildcard
     client.geo.city_name:
       dashed_name: client-geo-city-name
       description: City name.
@@ -372,6 +376,8 @@ client:
       short: Longitude and latitude.
       type: geo_point
     client.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -382,13 +388,12 @@ client:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: client.geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     client.geo.region_iso_code:
       dashed_name: client-geo-region-iso-code
       description: Region ISO code.
@@ -478,6 +483,8 @@ client:
       short: Port of the client.
       type: long
     client.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-registered-domain
       description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -488,12 +495,11 @@ client:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: client.registered_domain
-      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered client domain, stripped of the subdomain.
-      type: keyword
+      type: wildcard
     client.subdomain:
       dashed_name: client-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -543,22 +549,24 @@ client:
       short: Name of the directory the user is a member of.
       type: keyword
     client.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-user-email
       description: User email address.
       flat_name: client.user.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     client.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: client.user.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: client.user.full_name.text
@@ -569,7 +577,7 @@ client:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     client.user.group.domain:
       dashed_name: client-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -632,11 +640,12 @@ client:
       short: Unique identifier of the user.
       type: keyword
     client.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: client-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: client.user.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: client.user.name.text
@@ -647,7 +656,7 @@ client:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -1013,11 +1022,12 @@ destination:
       short: Unique number allocated to the autonomous system.
       type: long
     destination.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: destination.as.organization.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: destination.as.organization.name.text
@@ -1028,7 +1038,7 @@ destination:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: keyword
+      type: wildcard
     destination.bytes:
       dashed_name: destination-bytes
       description: Bytes sent from the destination to the source.
@@ -1041,15 +1051,16 @@ destination:
       short: Bytes sent from the destination to the source.
       type: long
     destination.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-domain
       description: Destination domain.
       flat_name: destination.domain
-      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Destination domain.
-      type: keyword
+      type: wildcard
     destination.geo.city_name:
       dashed_name: destination-geo-city-name
       description: City name.
@@ -1110,6 +1121,8 @@ destination:
       short: Longitude and latitude.
       type: geo_point
     destination.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -1120,13 +1133,12 @@ destination:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: destination.geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     destination.geo.region_iso_code:
       dashed_name: destination-geo-region-iso-code
       description: Region ISO code.
@@ -1215,6 +1227,8 @@ destination:
       short: Port of the destination.
       type: long
     destination.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-registered-domain
       description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -1225,12 +1239,11 @@ destination:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: destination.registered_domain
-      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered destination domain, stripped of the subdomain.
-      type: keyword
+      type: wildcard
     destination.subdomain:
       dashed_name: destination-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -1280,22 +1293,24 @@ destination:
       short: Name of the directory the user is a member of.
       type: keyword
     destination.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-user-email
       description: User email address.
       flat_name: destination.user.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     destination.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: destination.user.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: destination.user.full_name.text
@@ -1306,7 +1321,7 @@ destination:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     destination.user.group.domain:
       dashed_name: destination-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -1369,11 +1384,12 @@ destination:
       short: Unique identifier of the user.
       type: keyword
     destination.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: destination-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: destination.user.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: destination.user.name.text
@@ -1384,7 +1400,7 @@ destination:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -1633,17 +1649,18 @@ dll:
       short: A hash of the imports in a PE file.
       type: keyword
     dll.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: dll.pe.original_file_name
-      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: keyword
+      type: wildcard
     dll.pe.product:
       dashed_name: dll-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -1715,18 +1732,19 @@ dns:
       short: The class of DNS data contained in this resource record.
       type: keyword
     dns.answers.data:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: dns-answers-data
       description: 'The data describing the resource.
 
         The meaning of this data depends on the type and class of the resource record.'
       example: 10.10.10.10
       flat_name: dns.answers.data
-      ignore_above: 1024
       level: extended
       name: answers.data
       normalize: []
       short: The data describing the resource.
-      type: keyword
+      type: wildcard
     dns.answers.name:
       dashed_name: dns-answers-name
       description: 'The domain name to which this resource record pertains.
@@ -1818,6 +1836,8 @@ dns:
       short: The class of records being queried.
       type: keyword
     dns.question.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: dns-question-name
       description: 'The name being queried.
 
@@ -1827,12 +1847,11 @@ dns:
         feeds should be converted to \t, \r, and \n respectively.'
       example: www.example.com
       flat_name: dns.question.name
-      ignore_above: 1024
       level: extended
       name: question.name
       normalize: []
       short: The name being queried.
-      type: keyword
+      type: wildcard
     dns.question.registered_domain:
       dashed_name: dns-question-registered-domain
       description: 'The highest registered domain, stripped of the subdomain.
@@ -2006,12 +2025,11 @@ error:
       short: Error message.
       type: text
     error.stack_trace:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: error-stack-trace
       description: The stack trace of this error in plain text.
-      doc_values: false
       flat_name: error.stack_trace
-      ignore_above: 1024
-      index: false
       level: extended
       multi_fields:
       - flat_name: error.stack_trace.text
@@ -2021,18 +2039,19 @@ error:
       name: stack_trace
       normalize: []
       short: The stack trace of this error in plain text.
-      type: keyword
+      type: wildcard
     error.type:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: error-type
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
       flat_name: error.type
-      ignore_above: 1024
       level: extended
       name: type
       normalize: []
       short: The type of the error, for example the class name of the exception.
-      type: keyword
+      type: wildcard
   group: 2
   name: error
   prefix: error.
@@ -2472,7 +2491,8 @@ event:
       description: 'Raw text message of entire event. Used to demonstrate log integrity.
 
         This field is not indexed and doc_values are disabled. It cannot be searched,
-        but it can be retrieved from `_source`.'
+        but it can be retrieved from `_source`. If users wish to override this and
+        index this field, consider using the wildcard data type.'
       doc_values: false
       example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
         worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
@@ -2960,17 +2980,18 @@ file:
       short: Device that is the source of the file.
       type: keyword
     file.directory:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-directory
       description: Directory where the file is located. It should include the drive
         letter, when appropriate.
       example: /home/alice
       flat_name: file.directory
-      ignore_above: 1024
       level: extended
       name: directory
       normalize: []
       short: Directory where the file is located.
-      type: keyword
+      type: wildcard
     file.drive_letter:
       dashed_name: file-drive-letter
       description: 'Drive letter where the file is located. This field is only relevant
@@ -3132,12 +3153,13 @@ file:
       short: File owner's username.
       type: keyword
     file.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-path
       description: Full path to the file, including the file name. It should include
         the drive letter, when appropriate.
       example: /home/alice/example.png
       flat_name: file.path
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: file.path.text
@@ -3147,7 +3169,7 @@ file:
       name: path
       normalize: []
       short: Full path to the file, including the file name.
-      type: keyword
+      type: wildcard
     file.pe.architecture:
       dashed_name: file-pe-architecture
       description: CPU architecture target for the file.
@@ -3213,17 +3235,18 @@ file:
       short: A hash of the imports in a PE file.
       type: keyword
     file.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: file.pe.original_file_name
-      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: keyword
+      type: wildcard
     file.pe.product:
       dashed_name: file-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -3249,10 +3272,11 @@ file:
       short: File size in bytes.
       type: long
     file.target_path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-target-path
       description: Target path for symlinks.
       flat_name: file.target_path
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: file.target_path.text
@@ -3262,7 +3286,7 @@ file:
       name: target_path
       normalize: []
       short: Target path for symlinks.
-      type: keyword
+      type: wildcard
     file.type:
       dashed_name: file-type
       description: File type (file, dir, or symlink).
@@ -3327,18 +3351,19 @@ file:
       short: List of country (C) codes
       type: keyword
     file.x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: file.x509.issuer.distinguished_name
-      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of issuing certificate authority.
-      type: keyword
+      type: wildcard
     file.x509.issuer.locality:
       dashed_name: file-x509-issuer-locality
       description: List of locality names (L)
@@ -3517,17 +3542,18 @@ file:
       short: List of country (C) code
       type: keyword
     file.x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: file-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: file.x509.subject.distinguished_name
-      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of the certificate subject entity.
-      type: keyword
+      type: wildcard
     file.x509.subject.locality:
       dashed_name: file-x509-subject-locality
       description: List of locality names (L)
@@ -3677,6 +3703,8 @@ geo:
       short: Longitude and latitude.
       type: geo_point
     geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -3687,12 +3715,11 @@ geo:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     geo.region_iso_code:
       dashed_name: geo-region-iso-code
       description: Region ISO code.
@@ -3948,6 +3975,8 @@ host:
       short: Longitude and latitude.
       type: geo_point
     host.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -3958,13 +3987,12 @@ host:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: host.geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     host.geo.region_iso_code:
       dashed_name: host-geo-region-iso-code
       description: Region ISO code.
@@ -3990,17 +4018,18 @@ host:
       short: Region name.
       type: keyword
     host.hostname:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-hostname
       description: 'Hostname of the host.
 
         It normally contains what the `hostname` command returns on the host machine.'
       flat_name: host.hostname
-      ignore_above: 1024
       level: core
       name: hostname
       normalize: []
       short: Hostname of the host.
-      type: keyword
+      type: wildcard
     host.id:
       dashed_name: host-id
       description: 'Unique host id.
@@ -4063,11 +4092,12 @@ host:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     host.os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: host.os.full
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: host.os.full.text
@@ -4078,7 +4108,7 @@ host:
       normalize: []
       original_fieldset: os
       short: Operating system name, including the version or code name.
-      type: keyword
+      type: wildcard
     host.os.kernel:
       dashed_name: host-os-kernel
       description: Operating system kernel version as a raw string.
@@ -4092,11 +4122,12 @@ host:
       short: Operating system kernel version as a raw string.
       type: keyword
     host.os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: host.os.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: host.os.name.text
@@ -4107,7 +4138,7 @@ host:
       normalize: []
       original_fieldset: os
       short: Operating system name, without the version.
-      type: keyword
+      type: wildcard
     host.os.platform:
       dashed_name: host-os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -4190,22 +4221,24 @@ host:
       short: Name of the directory the user is a member of.
       type: keyword
     host.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-user-email
       description: User email address.
       flat_name: host.user.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     host.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: host.user.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: host.user.full_name.text
@@ -4216,7 +4249,7 @@ host:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     host.user.group.domain:
       dashed_name: host-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -4279,11 +4312,12 @@ host:
       short: Unique identifier of the user.
       type: keyword
     host.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: host-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: host.user.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: host.user.name.text
@@ -4294,7 +4328,7 @@ host:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     host.user.roles:
       dashed_name: host-user-roles
       description: Array of user roles at the time of the event.
@@ -4344,11 +4378,12 @@ http:
       short: Size in bytes of the request body.
       type: long
     http.request.body.content:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: http-request-body-content
       description: The full HTTP request body.
       example: Hello world
       flat_name: http.request.body.content
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: http.request.body.content.text
@@ -4358,7 +4393,7 @@ http:
       name: request.body.content
       normalize: []
       short: The full HTTP request body.
-      type: keyword
+      type: wildcard
     http.request.bytes:
       dashed_name: http-request-bytes
       description: Total size in bytes of the request (body and headers).
@@ -4406,16 +4441,17 @@ http:
       short: Mime type of the body of the request.
       type: keyword
     http.request.referrer:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: http-request-referrer
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
       flat_name: http.request.referrer
-      ignore_above: 1024
       level: extended
       name: request.referrer
       normalize: []
       short: Referrer for this HTTP request.
-      type: keyword
+      type: wildcard
     http.response.body.bytes:
       dashed_name: http-response-body-bytes
       description: Size in bytes of the response body.
@@ -4428,11 +4464,12 @@ http:
       short: Size in bytes of the response body.
       type: long
     http.response.body.content:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: http-response-body-content
       description: The full HTTP response body.
       example: Hello world
       flat_name: http.response.body.content
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: http.response.body.content.text
@@ -4442,7 +4479,7 @@ http:
       name: response.body.content
       normalize: []
       short: The full HTTP response body.
-      type: keyword
+      type: wildcard
     http.response.bytes:
       dashed_name: http-response-bytes
       description: Total size in bytes of the response (body and headers).
@@ -4566,6 +4603,8 @@ log:
     but rather in `event.*` or in other ECS fields.'
   fields:
     log.file.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: log-file-path
       description: 'Full path to the log file this event came from, including the
         file name. It should include the drive letter, when appropriate.
@@ -4573,12 +4612,11 @@ log:
         If the event wasn''t read from a log file, do not populate this field.'
       example: /var/log/fun-times.log
       flat_name: log.file.path
-      ignore_above: 1024
       level: extended
       name: file.path
       normalize: []
       short: Full path to the log file this event came from.
-      type: keyword
+      type: wildcard
     log.level:
       dashed_name: log-level
       description: 'Original log level of the log event.
@@ -4597,17 +4635,18 @@ log:
       short: Log level of the log event.
       type: keyword
     log.logger:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: log-logger
       description: The name of the logger inside an application. This is usually the
         name of the class which initialized the logger, or can be a custom name.
       example: org.elasticsearch.bootstrap.Bootstrap
       flat_name: log.logger
-      ignore_above: 1024
       level: core
       name: logger
       normalize: []
       short: Name of the logger.
-      type: keyword
+      type: wildcard
     log.origin.file.line:
       dashed_name: log-origin-file-line
       description: The line number of the file containing the source code which originated
@@ -5159,6 +5198,8 @@ observer:
       short: Longitude and latitude.
       type: geo_point
     observer.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: observer-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -5169,13 +5210,12 @@ observer:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: observer.geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     observer.geo.region_iso_code:
       dashed_name: observer-geo-region-iso-code
       description: Region ISO code.
@@ -5347,11 +5387,12 @@ observer:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     observer.os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: observer-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: observer.os.full
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: observer.os.full.text
@@ -5362,7 +5403,7 @@ observer:
       normalize: []
       original_fieldset: os
       short: Operating system name, including the version or code name.
-      type: keyword
+      type: wildcard
     observer.os.kernel:
       dashed_name: observer-os-kernel
       description: Operating system kernel version as a raw string.
@@ -5376,11 +5417,12 @@ observer:
       short: Operating system kernel version as a raw string.
       type: keyword
     observer.os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: observer-os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: observer.os.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: observer.os.name.text
@@ -5391,7 +5433,7 @@ observer:
       normalize: []
       original_fieldset: os
       short: Operating system name, without the version.
-      type: keyword
+      type: wildcard
     observer.os.platform:
       dashed_name: observer-os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -5542,10 +5584,11 @@ organization:
       short: Unique identifier for the organization.
       type: keyword
     organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: organization-name
       description: Organization name.
       flat_name: organization.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: organization.name.text
@@ -5555,7 +5598,7 @@ organization:
       name: name
       normalize: []
       short: Organization name.
-      type: keyword
+      type: wildcard
   group: 2
   name: organization
   prefix: organization.
@@ -5577,11 +5620,12 @@ os:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: os.full
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: os.full.text
@@ -5591,7 +5635,7 @@ os:
       name: full
       normalize: []
       short: Operating system name, including the version or code name.
-      type: keyword
+      type: wildcard
     os.kernel:
       dashed_name: os-kernel
       description: Operating system kernel version as a raw string.
@@ -5604,11 +5648,12 @@ os:
       short: Operating system kernel version as a raw string.
       type: keyword
     os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: os.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: os.name.text
@@ -5618,7 +5663,7 @@ os:
       name: name
       normalize: []
       short: Operating system name, without the version.
-      type: keyword
+      type: wildcard
     os.platform:
       dashed_name: os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -5904,16 +5949,17 @@ pe:
       short: A hash of the imports in a PE file.
       type: keyword
     pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: pe.original_file_name
-      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       short: Internal name of the file, provided at compile-time.
-      type: keyword
+      type: wildcard
     pe.product:
       dashed_name: pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6048,6 +6094,8 @@ process:
         content.
       type: boolean
     process.command_line:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6055,7 +6103,6 @@ process:
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       flat_name: process.command_line
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.command_line.text
@@ -6065,7 +6112,7 @@ process:
       name: command_line
       normalize: []
       short: Full command line that started the process.
-      type: keyword
+      type: wildcard
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -6086,11 +6133,12 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.executable:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       flat_name: process.executable
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.executable.text
@@ -6100,7 +6148,7 @@ process:
       name: executable
       normalize: []
       short: Absolute path to the process executable.
-      type: keyword
+      type: wildcard
     process.exit_code:
       dashed_name: process-exit-code
       description: 'The exit code of the process, if this is a termination event.
@@ -6159,13 +6207,14 @@ process:
       short: SHA512 hash.
       type: keyword
     process.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
       flat_name: process.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.name.text
@@ -6175,7 +6224,7 @@ process:
       name: name
       normalize: []
       short: Process name.
-      type: keyword
+      type: wildcard
     process.parent.args:
       dashed_name: process-parent-args
       description: 'Array of process arguments, starting with the absolute path to
@@ -6276,6 +6325,8 @@ process:
         content.
       type: boolean
     process.parent.command_line:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6283,7 +6334,6 @@ process:
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       flat_name: process.parent.command_line
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.command_line.text
@@ -6294,7 +6344,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Full command line that started the process.
-      type: keyword
+      type: wildcard
     process.parent.entity_id:
       dashed_name: process-parent-entity-id
       description: 'Unique identifier for the process.
@@ -6316,11 +6366,12 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.parent.executable:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       flat_name: process.parent.executable
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.executable.text
@@ -6331,7 +6382,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Absolute path to the process executable.
-      type: keyword
+      type: wildcard
     process.parent.exit_code:
       dashed_name: process-parent-exit-code
       description: 'The exit code of the process, if this is a termination event.
@@ -6391,13 +6442,14 @@ process:
       short: SHA512 hash.
       type: keyword
     process.parent.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
       flat_name: process.parent.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.name.text
@@ -6408,7 +6460,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Process name.
-      type: keyword
+      type: wildcard
     process.parent.pe.architecture:
       dashed_name: process-parent-pe-architecture
       description: CPU architecture target for the file.
@@ -6474,17 +6526,18 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.parent.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: process.parent.pe.original_file_name
-      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: keyword
+      type: wildcard
     process.parent.pe.product:
       dashed_name: process-parent-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6556,25 +6609,27 @@ process:
       short: Thread ID.
       type: long
     process.parent.thread.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-thread-name
       description: Thread name.
       example: thread-0
       flat_name: process.parent.thread.name
-      ignore_above: 1024
       level: extended
       name: thread.name
       normalize: []
       original_fieldset: process
       short: Thread name.
-      type: keyword
+      type: wildcard
     process.parent.title:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-title
       description: 'Process title.
 
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
       flat_name: process.parent.title
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.title.text
@@ -6585,7 +6640,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Process title.
-      type: keyword
+      type: wildcard
     process.parent.uptime:
       dashed_name: process-parent-uptime
       description: Seconds the process has been up.
@@ -6598,11 +6653,12 @@ process:
       short: Seconds the process has been up.
       type: long
     process.parent.working_directory:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-parent-working-directory
       description: The working directory of the process.
       example: /home/alice
       flat_name: process.parent.working_directory
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.working_directory.text
@@ -6613,7 +6669,7 @@ process:
       normalize: []
       original_fieldset: process
       short: The working directory of the process.
-      type: keyword
+      type: wildcard
     process.pe.architecture:
       dashed_name: process-pe-architecture
       description: CPU architecture target for the file.
@@ -6679,17 +6735,18 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.pe.original_file_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: process.pe.original_file_name
-      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: keyword
+      type: wildcard
     process.pe.product:
       dashed_name: process-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6756,24 +6813,26 @@ process:
       short: Thread ID.
       type: long
     process.thread.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-thread-name
       description: Thread name.
       example: thread-0
       flat_name: process.thread.name
-      ignore_above: 1024
       level: extended
       name: thread.name
       normalize: []
       short: Thread name.
-      type: keyword
+      type: wildcard
     process.title:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-title
       description: 'Process title.
 
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
       flat_name: process.title
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.title.text
@@ -6783,7 +6842,7 @@ process:
       name: title
       normalize: []
       short: Process title.
-      type: keyword
+      type: wildcard
     process.uptime:
       dashed_name: process-uptime
       description: Seconds the process has been up.
@@ -6795,11 +6854,12 @@ process:
       short: Seconds the process has been up.
       type: long
     process.working_directory:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: process-working-directory
       description: The working directory of the process.
       example: /home/alice
       flat_name: process.working_directory
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.working_directory.text
@@ -6809,7 +6869,7 @@ process:
       name: working_directory
       normalize: []
       short: The working directory of the process.
-      type: keyword
+      type: wildcard
   group: 2
   name: process
   nestings:
@@ -6859,6 +6919,8 @@ registry:
       short: Original bytes written with base64 encoding.
       type: keyword
     registry.data.strings:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: registry-data-strings
       description: 'Content when writing string types.
 
@@ -6869,13 +6931,12 @@ registry:
         be populated with the decimal representation (e.g `"1"`).'
       example: '["C:\rta\red_ttp\bin\myapp.exe"]'
       flat_name: registry.data.strings
-      ignore_above: 1024
       level: core
       name: data.strings
       normalize:
       - array
       short: List of strings representing what was written to the registry.
-      type: keyword
+      type: wildcard
     registry.data.type:
       dashed_name: registry-data-type
       description: Standard registry type for encoding contents
@@ -6899,28 +6960,30 @@ registry:
       short: Abbreviated name for the hive.
       type: keyword
     registry.key:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: registry-key
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       flat_name: registry.key
-      ignore_above: 1024
       level: core
       name: key
       normalize: []
       short: Hive-relative path of keys.
-      type: keyword
+      type: wildcard
     registry.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: registry-path
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
         Options\winword.exe\Debugger
       flat_name: registry.path
-      ignore_above: 1024
       level: core
       name: path
       normalize: []
       short: Full path, including hive, key and value
-      type: keyword
+      type: wildcard
     registry.value:
       dashed_name: registry-value
       description: Name of the value written.
@@ -7185,11 +7248,12 @@ server:
       short: Unique number allocated to the autonomous system.
       type: long
     server.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: server.as.organization.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: server.as.organization.name.text
@@ -7200,7 +7264,7 @@ server:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: keyword
+      type: wildcard
     server.bytes:
       dashed_name: server-bytes
       description: Bytes sent from the server to the client.
@@ -7213,15 +7277,16 @@ server:
       short: Bytes sent from the server to the client.
       type: long
     server.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-domain
       description: Server domain.
       flat_name: server.domain
-      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Server domain.
-      type: keyword
+      type: wildcard
     server.geo.city_name:
       dashed_name: server-geo-city-name
       description: City name.
@@ -7282,6 +7347,8 @@ server:
       short: Longitude and latitude.
       type: geo_point
     server.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -7292,13 +7359,12 @@ server:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: server.geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     server.geo.region_iso_code:
       dashed_name: server-geo-region-iso-code
       description: Region ISO code.
@@ -7388,6 +7454,8 @@ server:
       short: Port of the server.
       type: long
     server.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-registered-domain
       description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -7398,12 +7466,11 @@ server:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: server.registered_domain
-      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered server domain, stripped of the subdomain.
-      type: keyword
+      type: wildcard
     server.subdomain:
       dashed_name: server-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -7453,22 +7520,24 @@ server:
       short: Name of the directory the user is a member of.
       type: keyword
     server.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-user-email
       description: User email address.
       flat_name: server.user.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     server.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: server.user.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: server.user.full_name.text
@@ -7479,7 +7548,7 @@ server:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     server.user.group.domain:
       dashed_name: server-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -7542,11 +7611,12 @@ server:
       short: Unique identifier of the user.
       type: keyword
     server.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: server-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: server.user.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: server.user.name.text
@@ -7557,7 +7627,7 @@ server:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -7755,11 +7825,12 @@ source:
       short: Unique number allocated to the autonomous system.
       type: long
     source.as.organization.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: source.as.organization.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: source.as.organization.name.text
@@ -7770,7 +7841,7 @@ source:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: keyword
+      type: wildcard
     source.bytes:
       dashed_name: source-bytes
       description: Bytes sent from the source to the destination.
@@ -7783,15 +7854,16 @@ source:
       short: Bytes sent from the source to the destination.
       type: long
     source.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-domain
       description: Source domain.
       flat_name: source.domain
-      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Source domain.
-      type: keyword
+      type: wildcard
     source.geo.city_name:
       dashed_name: source-geo-city-name
       description: City name.
@@ -7852,6 +7924,8 @@ source:
       short: Longitude and latitude.
       type: geo_point
     source.geo.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -7862,13 +7936,12 @@ source:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: source.geo.name
-      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: keyword
+      type: wildcard
     source.geo.region_iso_code:
       dashed_name: source-geo-region-iso-code
       description: Region ISO code.
@@ -7958,6 +8031,8 @@ source:
       short: Port of the source.
       type: long
     source.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-registered-domain
       description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -7968,12 +8043,11 @@ source:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: source.registered_domain
-      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
+      type: wildcard
     source.subdomain:
       dashed_name: source-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -8023,22 +8097,24 @@ source:
       short: Name of the directory the user is a member of.
       type: keyword
     source.user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-user-email
       description: User email address.
       flat_name: source.user.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     source.user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: source.user.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: source.user.full_name.text
@@ -8049,7 +8125,7 @@ source:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     source.user.group.domain:
       dashed_name: source-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -8112,11 +8188,12 @@ source:
       short: Unique identifier of the user.
       type: keyword
     source.user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: source-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: source.user.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: source.user.name.text
@@ -8127,7 +8204,7 @@ source:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -8405,18 +8482,19 @@ tls:
         of certificate offered by the client.
       type: keyword
     tls.client.issuer:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-issuer
       description: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       flat_name: tls.client.issuer
-      ignore_above: 1024
       level: extended
       name: client.issuer
       normalize: []
       short: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
-      type: keyword
+      type: wildcard
     tls.client.ja3:
       dashed_name: tls-client-ja3
       description: A hash that identifies clients based on how they perform an SSL/TLS
@@ -8466,18 +8544,19 @@ tls:
       short: Hostname the client is trying to connect to. Also called the SNI.
       type: keyword
     tls.client.subject:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-subject
       description: Distinguished name of subject of the x.509 certificate presented
         by the client.
       example: CN=myclient, OU=Documentation Team, DC=example, DC=com
       flat_name: tls.client.subject
-      ignore_above: 1024
       level: extended
       name: client.subject
       normalize: []
       short: Distinguished name of subject of the x.509 certificate presented by the
         client.
-      type: keyword
+      type: wildcard
     tls.client.supported_ciphers:
       dashed_name: tls-client-supported-ciphers
       description: Array of ciphers offered by the client during the client hello.
@@ -8533,18 +8612,19 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.client.x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: tls.client.x509.issuer.distinguished_name
-      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of issuing certificate authority.
-      type: keyword
+      type: wildcard
     tls.client.x509.issuer.locality:
       dashed_name: tls-client-x509-issuer-locality
       description: List of locality names (L)
@@ -8723,17 +8803,18 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.client.x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-client-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: tls.client.x509.subject.distinguished_name
-      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of the certificate subject entity.
-      type: keyword
+      type: wildcard
     tls.client.x509.subject.locality:
       dashed_name: tls-client-x509-subject-locality
       description: List of locality names (L)
@@ -8914,17 +8995,18 @@ tls:
         of certificate offered by the server.
       type: keyword
     tls.server.issuer:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-issuer
       description: Subject of the issuer of the x.509 certificate presented by the
         server.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       flat_name: tls.server.issuer
-      ignore_above: 1024
       level: extended
       name: server.issuer
       normalize: []
       short: Subject of the issuer of the x.509 certificate presented by the server.
-      type: keyword
+      type: wildcard
     tls.server.ja3s:
       dashed_name: tls-server-ja3s
       description: A hash that identifies servers based on how they perform an SSL/TLS
@@ -8961,16 +9043,17 @@ tls:
       short: Timestamp indicating when server certificate is first considered valid.
       type: date
     tls.server.subject:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-subject
       description: Subject of the x.509 certificate presented by the server.
       example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
       flat_name: tls.server.subject
-      ignore_above: 1024
       level: extended
       name: server.subject
       normalize: []
       short: Subject of the x.509 certificate presented by the server.
-      type: keyword
+      type: wildcard
     tls.server.x509.alternative_names:
       dashed_name: tls-server-x509-alternative-names
       description: List of subject alternative names (SAN). Name types vary by certificate
@@ -9013,18 +9096,19 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.server.x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: tls.server.x509.issuer.distinguished_name
-      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of issuing certificate authority.
-      type: keyword
+      type: wildcard
     tls.server.x509.issuer.locality:
       dashed_name: tls-server-x509-issuer-locality
       description: List of locality names (L)
@@ -9203,17 +9287,18 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.server.x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: tls-server-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: tls.server.x509.subject.distinguished_name
-      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of the certificate subject entity.
-      type: keyword
+      type: wildcard
     tls.server.x509.subject.locality:
       dashed_name: tls-server-x509-subject-locality
       description: List of locality names (L)
@@ -9379,6 +9464,8 @@ url:
     the breaking down into scheme, domain, path, and so on.
   fields:
     url.domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-domain
       description: 'Domain of the url, such as "www.elastic.co".
 
@@ -9390,12 +9477,11 @@ url:
         field.'
       example: www.elastic.co
       flat_name: url.domain
-      ignore_above: 1024
       level: extended
       name: domain
       normalize: []
       short: Domain of the url.
-      type: keyword
+      type: wildcard
     url.extension:
       dashed_name: url-extension
       description: 'The field contains the file extension from the original request
@@ -9429,13 +9515,14 @@ url:
       short: Portion of the url after the `#`.
       type: keyword
     url.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-full
       description: If full URLs are important to your use case, they should be stored
         in `url.full`, whether this field is reconstructed or present in the event
         source.
       example: https://www.elastic.co:443/search?q=elasticsearch#top
       flat_name: url.full
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: url.full.text
@@ -9445,8 +9532,10 @@ url:
       name: full
       normalize: []
       short: Full unparsed URL.
-      type: keyword
+      type: wildcard
     url.original:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-original
       description: 'Unmodified original url as seen in the event source.
 
@@ -9456,7 +9545,6 @@ url:
         This field is meant to represent the URL as it was observed, complete or not.'
       example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
       flat_name: url.original
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: url.original.text
@@ -9466,7 +9554,7 @@ url:
       name: original
       normalize: []
       short: Unmodified original url as seen in the event source.
-      type: keyword
+      type: wildcard
     url.password:
       dashed_name: url-password
       description: Password of the request.
@@ -9478,15 +9566,16 @@ url:
       short: Password of the request.
       type: keyword
     url.path:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-path
       description: Path of the request, such as "/search".
       flat_name: url.path
-      ignore_above: 1024
       level: extended
       name: path
       normalize: []
       short: Path of the request, such as "/search".
-      type: keyword
+      type: wildcard
     url.port:
       dashed_name: url-port
       description: Port of the request, such as 443.
@@ -9515,6 +9604,8 @@ url:
       short: Query string of the request.
       type: keyword
     url.registered_domain:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: url-registered-domain
       description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -9525,12 +9616,11 @@ url:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: url.registered_domain
-      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered url domain, stripped of the subdomain.
-      type: keyword
+      type: wildcard
     url.scheme:
       dashed_name: url-scheme
       description: 'Scheme of the request, such as "https".
@@ -9616,22 +9706,24 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.changes.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-changes-email
       description: User email address.
       flat_name: user.changes.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     user.changes.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-changes-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.changes.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.changes.full_name.text
@@ -9642,7 +9734,7 @@ user:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     user.changes.group.domain:
       dashed_name: user-changes-group-domain
       description: 'Name of the directory the group is a member of.
@@ -9705,11 +9797,12 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.changes.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-changes-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.changes.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.changes.name.text
@@ -9720,7 +9813,7 @@ user:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -9760,22 +9853,24 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.effective.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-effective-email
       description: User email address.
       flat_name: user.effective.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     user.effective.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-effective-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.effective.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.effective.full_name.text
@@ -9786,7 +9881,7 @@ user:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     user.effective.group.domain:
       dashed_name: user-effective-group-domain
       description: 'Name of the directory the group is a member of.
@@ -9849,11 +9944,12 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.effective.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-effective-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.effective.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.effective.name.text
@@ -9864,7 +9960,7 @@ user:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -9879,21 +9975,23 @@ user:
       short: Array of user roles at the time of the event.
       type: keyword
     user.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-email
       description: User email address.
       flat_name: user.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       short: User email address.
-      type: keyword
+      type: wildcard
     user.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.full_name.text
@@ -9903,7 +10001,7 @@ user:
       name: full_name
       normalize: []
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     user.group.domain:
       dashed_name: user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -9964,11 +10062,12 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.name.text
@@ -9978,7 +10077,7 @@ user:
       name: name
       normalize: []
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     user.roles:
       dashed_name: user-roles
       description: Array of user roles at the time of the event.
@@ -10005,22 +10104,24 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.target.email:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-target-email
       description: User email address.
       flat_name: user.target.email
-      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: keyword
+      type: wildcard
     user.target.full_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-target-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.target.full_name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.target.full_name.text
@@ -10031,7 +10132,7 @@ user:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: keyword
+      type: wildcard
     user.target.group.domain:
       dashed_name: user-target-group-domain
       description: 'Name of the directory the group is a member of.
@@ -10094,11 +10195,12 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.target.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-target-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.target.name
-      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.target.name.text
@@ -10109,7 +10211,7 @@ user:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: keyword
+      type: wildcard
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
@@ -10208,12 +10310,13 @@ user_agent:
       short: Name of the user agent.
       type: keyword
     user_agent.original:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-agent-original
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
         (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
       flat_name: user_agent.original
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user_agent.original.text
@@ -10223,7 +10326,7 @@ user_agent:
       name: original
       normalize: []
       short: Unparsed user_agent string.
-      type: keyword
+      type: wildcard
     user_agent.os.family:
       dashed_name: user-agent-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -10237,11 +10340,12 @@ user_agent:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     user_agent.os.full:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-agent-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: user_agent.os.full
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user_agent.os.full.text
@@ -10252,7 +10356,7 @@ user_agent:
       normalize: []
       original_fieldset: os
       short: Operating system name, including the version or code name.
-      type: keyword
+      type: wildcard
     user_agent.os.kernel:
       dashed_name: user-agent-os-kernel
       description: Operating system kernel version as a raw string.
@@ -10266,11 +10370,12 @@ user_agent:
       short: Operating system kernel version as a raw string.
       type: keyword
     user_agent.os.name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: user-agent-os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: user_agent.os.name
-      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user_agent.os.name.text
@@ -10281,7 +10386,7 @@ user_agent:
       normalize: []
       original_fieldset: os
       short: Operating system name, without the version.
-      type: keyword
+      type: wildcard
     user_agent.os.platform:
       dashed_name: user-agent-os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -10647,17 +10752,18 @@ x509:
       short: List of country (C) codes
       type: keyword
     x509.issuer.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: x509.issuer.distinguished_name
-      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       short: Distinguished name (DN) of issuing certificate authority.
-      type: keyword
+      type: wildcard
     x509.issuer.locality:
       dashed_name: x509-issuer-locality
       description: List of locality names (L)
@@ -10822,16 +10928,17 @@ x509:
       short: List of country (C) code
       type: keyword
     x509.subject.distinguished_name:
+      beta: Note the usage of `wildcard` type is considered beta. This field used
+        to be type `keyword`.
       dashed_name: x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: x509.subject.distinguished_name
-      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       short: Distinguished name (DN) of the certificate subject entity.
-      type: keyword
+      type: wildcard
     x509.subject.locality:
       dashed_name: x509-subject-locality
       description: List of locality names (L)
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 4b94205762..98bf95f301 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -27,8 +27,7 @@
           "build": {
             "properties": {
               "original": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               }
             }
           },
@@ -74,8 +73,7 @@
                         "type": "text"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               }
@@ -85,8 +83,7 @@
             "type": "long"
           },
           "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "geo": {
             "properties": {
@@ -110,8 +107,7 @@
                 "type": "geo_point"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -147,8 +143,7 @@
             "type": "long"
           },
           "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -165,8 +160,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -175,8 +169,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -209,8 +202,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -331,8 +323,7 @@
                         "type": "text"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               }
@@ -342,8 +333,7 @@
             "type": "long"
           },
           "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "geo": {
             "properties": {
@@ -367,8 +357,7 @@
                 "type": "geo_point"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -404,8 +393,7 @@
             "type": "long"
           },
           "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -422,8 +410,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -432,8 +419,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -466,8 +452,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -551,8 +536,7 @@
                 "type": "keyword"
               },
               "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "product": {
                 "ignore_above": 1024,
@@ -571,8 +555,7 @@
                 "type": "keyword"
               },
               "data": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "name": {
                 "ignore_above": 1024,
@@ -607,8 +590,7 @@
                 "type": "keyword"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "registered_domain": {
                 "ignore_above": 1024,
@@ -664,20 +646,16 @@
             "type": "text"
           },
           "stack_trace": {
-            "doc_values": false,
             "fields": {
               "text": {
                 "norms": false,
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "index": false,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           }
         }
       },
@@ -819,8 +797,7 @@
             "type": "keyword"
           },
           "directory": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "drive_letter": {
             "ignore_above": 1,
@@ -888,8 +865,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "pe": {
             "properties": {
@@ -914,8 +890,7 @@
                 "type": "keyword"
               },
               "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "product": {
                 "ignore_above": 1024,
@@ -933,8 +908,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "type": {
             "ignore_above": 1024,
@@ -961,8 +935,7 @@
                     "type": "keyword"
                   },
                   "distinguished_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   },
                   "locality": {
                     "ignore_above": 1024,
@@ -1023,8 +996,7 @@
                     "type": "keyword"
                   },
                   "distinguished_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   },
                   "locality": {
                     "ignore_above": 1024,
@@ -1100,8 +1072,7 @@
                 "type": "geo_point"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -1114,8 +1085,7 @@
             }
           },
           "hostname": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "id": {
             "ignore_above": 1024,
@@ -1145,8 +1115,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "kernel": {
                 "ignore_above": 1024,
@@ -1159,8 +1128,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "platform": {
                 "ignore_above": 1024,
@@ -1190,8 +1158,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -1200,8 +1167,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -1234,8 +1200,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -1261,8 +1226,7 @@
                         "type": "text"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               },
@@ -1278,8 +1242,7 @@
                 "type": "keyword"
               },
               "referrer": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               }
             }
           },
@@ -1297,8 +1260,7 @@
                         "type": "text"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               },
@@ -1328,8 +1290,7 @@
           "file": {
             "properties": {
               "path": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               }
             }
           },
@@ -1338,8 +1299,7 @@
             "type": "keyword"
           },
           "logger": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "origin": {
             "properties": {
@@ -1537,8 +1497,7 @@
                 "type": "geo_point"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -1615,8 +1574,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "kernel": {
                 "ignore_above": 1024,
@@ -1629,8 +1587,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "platform": {
                 "ignore_above": 1024,
@@ -1681,8 +1638,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           }
         }
       },
@@ -1777,8 +1733,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "entity_id": {
             "ignore_above": 1024,
@@ -1791,8 +1746,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "exit_code": {
             "type": "long"
@@ -1824,8 +1778,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "parent": {
             "properties": {
@@ -1864,8 +1817,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "entity_id": {
                 "ignore_above": 1024,
@@ -1878,8 +1830,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "exit_code": {
                 "type": "long"
@@ -1911,8 +1862,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "pe": {
                 "properties": {
@@ -1937,8 +1887,7 @@
                     "type": "keyword"
                   },
                   "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   },
                   "product": {
                     "ignore_above": 1024,
@@ -1964,8 +1913,7 @@
                     "type": "long"
                   },
                   "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               },
@@ -1976,8 +1924,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "uptime": {
                 "type": "long"
@@ -1989,8 +1936,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               }
             }
           },
@@ -2017,8 +1963,7 @@
                 "type": "keyword"
               },
               "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "product": {
                 "ignore_above": 1024,
@@ -2044,8 +1989,7 @@
                 "type": "long"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               }
             }
           },
@@ -2056,8 +2000,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "uptime": {
             "type": "long"
@@ -2069,8 +2012,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           }
         }
       },
@@ -2083,8 +2025,7 @@
                 "type": "keyword"
               },
               "strings": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "type": {
                 "ignore_above": 1024,
@@ -2097,12 +2038,10 @@
             "type": "keyword"
           },
           "key": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "path": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "value": {
             "ignore_above": 1024,
@@ -2193,8 +2132,7 @@
                         "type": "text"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               }
@@ -2204,8 +2142,7 @@
             "type": "long"
           },
           "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "geo": {
             "properties": {
@@ -2229,8 +2166,7 @@
                 "type": "geo_point"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -2266,8 +2202,7 @@
             "type": "long"
           },
           "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -2284,8 +2219,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -2294,8 +2228,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -2328,8 +2261,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -2395,8 +2327,7 @@
                         "type": "text"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   }
                 }
               }
@@ -2406,8 +2337,7 @@
             "type": "long"
           },
           "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "geo": {
             "properties": {
@@ -2431,8 +2361,7 @@
                 "type": "geo_point"
               },
               "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -2468,8 +2397,7 @@
             "type": "long"
           },
           "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -2486,8 +2414,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -2496,8 +2423,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -2530,8 +2456,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -2654,8 +2579,7 @@
                 }
               },
               "issuer": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "ja3": {
                 "ignore_above": 1024,
@@ -2672,8 +2596,7 @@
                 "type": "keyword"
               },
               "subject": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "supported_ciphers": {
                 "ignore_above": 1024,
@@ -2696,8 +2619,7 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "type": "wildcard"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2758,8 +2680,7 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "type": "wildcard"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2828,8 +2749,7 @@
                 }
               },
               "issuer": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "ja3s": {
                 "ignore_above": 1024,
@@ -2842,8 +2762,7 @@
                 "type": "date"
               },
               "subject": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "x509": {
                 "properties": {
@@ -2862,8 +2781,7 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "type": "wildcard"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2924,8 +2842,7 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "type": "wildcard"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2982,8 +2899,7 @@
       "url": {
         "properties": {
           "domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "extension": {
             "ignore_above": 1024,
@@ -3000,8 +2916,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "original": {
             "fields": {
@@ -3010,16 +2925,14 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "password": {
             "ignore_above": 1024,
             "type": "keyword"
           },
           "path": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "port": {
             "type": "long"
@@ -3029,8 +2942,7 @@
             "type": "keyword"
           },
           "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "scheme": {
             "ignore_above": 1024,
@@ -3059,8 +2971,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -3069,8 +2980,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -3103,8 +3013,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -3123,8 +3032,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -3133,8 +3041,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -3167,8 +3074,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -3177,8 +3083,7 @@
             }
           },
           "email": {
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "full_name": {
             "fields": {
@@ -3187,8 +3092,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "group": {
             "properties": {
@@ -3221,8 +3125,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "roles": {
             "ignore_above": 1024,
@@ -3235,8 +3138,7 @@
                 "type": "keyword"
               },
               "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "full_name": {
                 "fields": {
@@ -3245,8 +3147,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "group": {
                 "properties": {
@@ -3279,8 +3180,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -3311,8 +3211,7 @@
                 "type": "text"
               }
             },
-            "ignore_above": 1024,
-            "type": "keyword"
+            "type": "wildcard"
           },
           "os": {
             "properties": {
@@ -3327,8 +3226,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "kernel": {
                 "ignore_above": 1024,
@@ -3341,8 +3239,7 @@
                     "type": "text"
                   }
                 },
-                "ignore_above": 1024,
-                "type": "keyword"
+                "type": "wildcard"
               },
               "platform": {
                 "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json
index c130016bbd..353ba82a15 100644
--- a/generated/elasticsearch/component/agent.json
+++ b/generated/elasticsearch/component/agent.json
@@ -11,8 +11,7 @@
             "build": {
               "properties": {
                 "original": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
index 5dde7cdb39..31e691aed1 100644
--- a/generated/elasticsearch/component/client.json
+++ b/generated/elasticsearch/component/client.json
@@ -26,8 +26,7 @@
                           "type": "text"
                         }
                       },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 }
@@ -37,8 +36,7 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "geo": {
               "properties": {
@@ -62,8 +60,7 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -99,8 +96,7 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -117,8 +113,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -127,8 +122,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -161,8 +155,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
index 1a24a18e99..d9e445f419 100644
--- a/generated/elasticsearch/component/destination.json
+++ b/generated/elasticsearch/component/destination.json
@@ -26,8 +26,7 @@
                           "type": "text"
                         }
                       },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 }
@@ -37,8 +36,7 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "geo": {
               "properties": {
@@ -62,8 +60,7 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -99,8 +96,7 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -117,8 +113,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -127,8 +122,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -161,8 +155,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index e630a76c71..d1654a2995 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -80,8 +80,7 @@
                   "type": "keyword"
                 },
                 "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "product": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json
index 42d21fc551..15a736a4cf 100644
--- a/generated/elasticsearch/component/dns.json
+++ b/generated/elasticsearch/component/dns.json
@@ -15,8 +15,7 @@
                   "type": "keyword"
                 },
                 "data": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "name": {
                   "ignore_above": 1024,
@@ -51,8 +50,7 @@
                   "type": "keyword"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "registered_domain": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json
index d22a07231f..6ed08970ef 100644
--- a/generated/elasticsearch/component/error.json
+++ b/generated/elasticsearch/component/error.json
@@ -21,20 +21,16 @@
               "type": "text"
             },
             "stack_trace": {
-              "doc_values": false,
               "fields": {
                 "text": {
                   "norms": false,
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "index": false,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             }
           }
         }
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index cf1324a4f2..073dc7959e 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -47,8 +47,7 @@
               "type": "keyword"
             },
             "directory": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "drive_letter": {
               "ignore_above": 1,
@@ -116,8 +115,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "pe": {
               "properties": {
@@ -142,8 +140,7 @@
                   "type": "keyword"
                 },
                 "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "product": {
                   "ignore_above": 1024,
@@ -161,8 +158,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "type": {
               "ignore_above": 1024,
@@ -189,8 +185,7 @@
                       "type": "keyword"
                     },
                     "distinguished_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     },
                     "locality": {
                       "ignore_above": 1024,
@@ -251,8 +246,7 @@
                       "type": "keyword"
                     },
                     "distinguished_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     },
                     "locality": {
                       "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index 3dbbb8e51a..de2b9925b0 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -38,8 +38,7 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -52,8 +51,7 @@
               }
             },
             "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "id": {
               "ignore_above": 1024,
@@ -83,8 +81,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "kernel": {
                   "ignore_above": 1024,
@@ -97,8 +94,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "platform": {
                   "ignore_above": 1024,
@@ -128,8 +124,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -138,8 +133,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -172,8 +166,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
index 26b934b372..ee434bc3d3 100644
--- a/generated/elasticsearch/component/http.json
+++ b/generated/elasticsearch/component/http.json
@@ -22,8 +22,7 @@
                           "type": "text"
                         }
                       },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 },
@@ -39,8 +38,7 @@
                   "type": "keyword"
                 },
                 "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 }
               }
             },
@@ -58,8 +56,7 @@
                           "type": "text"
                         }
                       },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 },
diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json
index b73467cc7b..79ac511fe0 100644
--- a/generated/elasticsearch/component/log.json
+++ b/generated/elasticsearch/component/log.json
@@ -11,8 +11,7 @@
             "file": {
               "properties": {
                 "path": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 }
               }
             },
@@ -21,8 +20,7 @@
               "type": "keyword"
             },
             "logger": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "origin": {
               "properties": {
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
index a4678c7862..f7b5f2fd65 100644
--- a/generated/elasticsearch/component/observer.json
+++ b/generated/elasticsearch/component/observer.json
@@ -67,8 +67,7 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -145,8 +144,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "kernel": {
                   "ignore_above": 1024,
@@ -159,8 +157,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "platform": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json
index 8f912778be..c00ed11538 100644
--- a/generated/elasticsearch/component/organization.json
+++ b/generated/elasticsearch/component/organization.json
@@ -19,8 +19,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             }
           }
         }
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index 51f03ac672..472f0029fb 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -43,8 +43,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "entity_id": {
               "ignore_above": 1024,
@@ -57,8 +56,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "exit_code": {
               "type": "long"
@@ -90,8 +88,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "parent": {
               "properties": {
@@ -130,8 +127,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "entity_id": {
                   "ignore_above": 1024,
@@ -144,8 +140,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "exit_code": {
                   "type": "long"
@@ -177,8 +172,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "pe": {
                   "properties": {
@@ -203,8 +197,7 @@
                       "type": "keyword"
                     },
                     "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     },
                     "product": {
                       "ignore_above": 1024,
@@ -230,8 +223,7 @@
                       "type": "long"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 },
@@ -242,8 +234,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "uptime": {
                   "type": "long"
@@ -255,8 +246,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 }
               }
             },
@@ -283,8 +273,7 @@
                   "type": "keyword"
                 },
                 "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "product": {
                   "ignore_above": 1024,
@@ -310,8 +299,7 @@
                   "type": "long"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 }
               }
             },
@@ -322,8 +310,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "uptime": {
               "type": "long"
@@ -335,8 +322,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             }
           }
         }
diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json
index f6dea3211e..db6a8c5ba2 100644
--- a/generated/elasticsearch/component/registry.json
+++ b/generated/elasticsearch/component/registry.json
@@ -15,8 +15,7 @@
                   "type": "keyword"
                 },
                 "strings": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "type": {
                   "ignore_above": 1024,
@@ -29,12 +28,10 @@
               "type": "keyword"
             },
             "key": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "value": {
               "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
index 0d7e1a95ec..7a5940efb4 100644
--- a/generated/elasticsearch/component/server.json
+++ b/generated/elasticsearch/component/server.json
@@ -26,8 +26,7 @@
                           "type": "text"
                         }
                       },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 }
@@ -37,8 +36,7 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "geo": {
               "properties": {
@@ -62,8 +60,7 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -99,8 +96,7 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -117,8 +113,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -127,8 +122,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -161,8 +155,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
index ae6db3d20f..ae2b85b106 100644
--- a/generated/elasticsearch/component/source.json
+++ b/generated/elasticsearch/component/source.json
@@ -26,8 +26,7 @@
                           "type": "text"
                         }
                       },
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "wildcard"
                     }
                   }
                 }
@@ -37,8 +36,7 @@
               "type": "long"
             },
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "geo": {
               "properties": {
@@ -62,8 +60,7 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -99,8 +96,7 @@
               "type": "long"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -117,8 +113,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -127,8 +122,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -161,8 +155,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json
index 8eec703977..be3dd91253 100644
--- a/generated/elasticsearch/component/tls.json
+++ b/generated/elasticsearch/component/tls.json
@@ -39,8 +39,7 @@
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "ja3": {
                   "ignore_above": 1024,
@@ -57,8 +56,7 @@
                   "type": "keyword"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "supported_ciphers": {
                   "ignore_above": 1024,
@@ -81,8 +79,7 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "type": "wildcard"
                         },
                         "locality": {
                           "ignore_above": 1024,
@@ -143,8 +140,7 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "type": "wildcard"
                         },
                         "locality": {
                           "ignore_above": 1024,
@@ -213,8 +209,7 @@
                   }
                 },
                 "issuer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "ja3s": {
                   "ignore_above": 1024,
@@ -227,8 +222,7 @@
                   "type": "date"
                 },
                 "subject": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "x509": {
                   "properties": {
@@ -247,8 +241,7 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "type": "wildcard"
                         },
                         "locality": {
                           "ignore_above": 1024,
@@ -309,8 +302,7 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "type": "wildcard"
                         },
                         "locality": {
                           "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json
index 89cd68c6bd..c50ced4a7d 100644
--- a/generated/elasticsearch/component/url.json
+++ b/generated/elasticsearch/component/url.json
@@ -9,8 +9,7 @@
         "url": {
           "properties": {
             "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "extension": {
               "ignore_above": 1024,
@@ -27,8 +26,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "original": {
               "fields": {
@@ -37,16 +35,14 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "password": {
               "ignore_above": 1024,
               "type": "keyword"
             },
             "path": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "port": {
               "type": "long"
@@ -56,8 +52,7 @@
               "type": "keyword"
             },
             "registered_domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "scheme": {
               "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json
index b9c0ca72c3..8a1a714414 100644
--- a/generated/elasticsearch/component/user.json
+++ b/generated/elasticsearch/component/user.json
@@ -15,8 +15,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -25,8 +24,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -59,8 +57,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
@@ -79,8 +76,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -89,8 +85,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -123,8 +118,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
@@ -133,8 +127,7 @@
               }
             },
             "email": {
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "full_name": {
               "fields": {
@@ -143,8 +136,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "group": {
               "properties": {
@@ -177,8 +169,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "roles": {
               "ignore_above": 1024,
@@ -191,8 +182,7 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "full_name": {
                   "fields": {
@@ -201,8 +191,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "group": {
                   "properties": {
@@ -235,8 +224,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json
index 1dfe0dc08e..c45d126c48 100644
--- a/generated/elasticsearch/component/user_agent.json
+++ b/generated/elasticsearch/component/user_agent.json
@@ -27,8 +27,7 @@
                   "type": "text"
                 }
               },
-              "ignore_above": 1024,
-              "type": "keyword"
+              "type": "wildcard"
             },
             "os": {
               "properties": {
@@ -43,8 +42,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "kernel": {
                   "ignore_above": 1024,
@@ -57,8 +55,7 @@
                       "type": "text"
                     }
                   },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  "type": "wildcard"
                 },
                 "platform": {
                   "ignore_above": 1024,
diff --git a/schemas/agent.yml b/schemas/agent.yml
index a7758e90ce..ada014aecb 100644
--- a/schemas/agent.yml
+++ b/schemas/agent.yml
@@ -24,8 +24,9 @@
 
     - name: build.original
       level: core
-      type: keyword
+      type: wildcard
       short: Extended build information for the agent.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Extended build information for the agent.
 
diff --git a/schemas/as.yml b/schemas/as.yml
index 952d7febeb..0094a46a9a 100644
--- a/schemas/as.yml
+++ b/schemas/as.yml
@@ -29,7 +29,8 @@
 
     - name: organization.name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Organization name.
       example: Google LLC
diff --git a/schemas/client.yml b/schemas/client.yml
index e63ab70276..b61329316e 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -53,14 +53,16 @@
 
     - name: domain
       level: core
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Client domain.
 
     - name: registered_domain
       level: extended
-      type: keyword
+      type: wildcard
       short: The highest registered client domain, stripped of the subdomain.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The highest registered client domain, stripped of the subdomain.
 
diff --git a/schemas/destination.yml b/schemas/destination.yml
index a1e91958f7..ab6979e346 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -48,13 +48,15 @@
 
     - name: domain
       level: core
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Destination domain.
 
     - name: registered_domain
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       short: The highest registered destination domain, stripped of the subdomain.
       description: >
         The highest registered destination domain, stripped of the subdomain.
diff --git a/schemas/dns.yml b/schemas/dns.yml
index afe11a190a..220a723967 100644
--- a/schemas/dns.yml
+++ b/schemas/dns.yml
@@ -66,8 +66,9 @@
 
     - name: question.name
       level: extended
-      type: keyword
+      type: wildcard
       short: The name being queried.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The name being queried.
 
@@ -185,8 +186,9 @@
 
     - name: answers.data
       level: extended
-      type: keyword
+      type: wildcard
       short: The data describing the resource.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The data describing the resource.
 
diff --git a/schemas/error.yml b/schemas/error.yml
index 7d96f09a4b..b1ae66f588 100644
--- a/schemas/error.yml
+++ b/schemas/error.yml
@@ -31,15 +31,16 @@
 
     - name: type
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       example: java.lang.NullPointerException
       description: >
         The type of the error, for example the class name of the exception.
 
     - name: stack_trace
       level: extended
-      type: keyword
-      index: false
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The stack trace of this error in plain text.
       multi_fields:
diff --git a/schemas/event.yml b/schemas/event.yml
index 45128fcf4a..0edbf6b8de 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -590,7 +590,9 @@
           Raw text message of entire event. Used to demonstrate log integrity.
 
           This field is not indexed and doc_values are disabled. It cannot be
-          searched, but it can be retrieved from `_source`.
+          searched, but it can be retrieved from `_source`. If users wish to
+          override this and index this field, consider using the wildcard
+          data type.
       index: false
       doc_values: false
 
diff --git a/schemas/file.yml b/schemas/file.yml
index 545b4661fa..419116c8da 100644
--- a/schemas/file.yml
+++ b/schemas/file.yml
@@ -33,8 +33,9 @@
 
     - name: directory
       level: extended
-      type: keyword
+      type: wildcard
       short: Directory where the file is located.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Directory where the file is located. It should include the drive letter,
         when appropriate.
@@ -53,8 +54,9 @@
 
     - name: path
       level: extended
-      type: keyword
+      type: wildcard
       short: Full path to the file, including the file name.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Full path to the file, including the file name. It should include the
         drive letter, when appropriate.
@@ -65,7 +67,8 @@
 
     - name: target_path
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Target path for symlinks.
       multi_fields:
         - type: text
diff --git a/schemas/geo.yml b/schemas/geo.yml
index 347d60829e..a6654d982f 100644
--- a/schemas/geo.yml
+++ b/schemas/geo.yml
@@ -71,8 +71,9 @@
 
     - name: name
       level: extended
-      type: keyword
+      type: wildcard
       short: User-defined description of a location.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         User-defined description of a location, at the level of granularity they care about.
 
diff --git a/schemas/host.yml b/schemas/host.yml
index 2fdbd9e4f7..f751d9b3ff 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -14,8 +14,9 @@
 
     - name: hostname
       level: core
-      type: keyword
+      type: wildcard
       short: Hostname of the host.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Hostname of the host.
 
diff --git a/schemas/http.yml b/schemas/http.yml
index 9002408cab..f0ee23c53a 100644
--- a/schemas/http.yml
+++ b/schemas/http.yml
@@ -42,7 +42,8 @@
 
     - name: request.body.content
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The full HTTP request body.
       example: Hello world
@@ -52,7 +53,8 @@
 
     - name: request.referrer
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Referrer for this HTTP request.
       example: https://blog.example.com/
@@ -81,7 +83,8 @@
 
     - name: response.body.content
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The full HTTP response body.
       example: Hello world
diff --git a/schemas/log.yml b/schemas/log.yml
index fed4c063dd..991b9235a0 100644
--- a/schemas/log.yml
+++ b/schemas/log.yml
@@ -31,8 +31,9 @@
 
     - name: file.path
       level: extended
-      type: keyword
+      type: wildcard
       short: Full path to the log file this event came from.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Full path to the log file this event came from, including the file name.
         It should include the drive letter, when appropriate.
@@ -63,9 +64,10 @@
 
     - name: logger
       level: core
-      type: keyword
+      type: wildcard
       example: org.elasticsearch.bootstrap.Bootstrap
       short: Name of the logger.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
 
diff --git a/schemas/organization.yml b/schemas/organization.yml
index dcd2358927..4eee9ce663 100644
--- a/schemas/organization.yml
+++ b/schemas/organization.yml
@@ -14,7 +14,8 @@
 
     - name: name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Organization name.
       multi_fields:
diff --git a/schemas/os.yml b/schemas/os.yml
index 8b8cfcdad7..9a93fd933b 100644
--- a/schemas/os.yml
+++ b/schemas/os.yml
@@ -36,8 +36,9 @@
 
     - name: name
       level: extended
-      type: keyword
+      type: wildcard
       example: "Mac OS X"
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Operating system name, without the version.
       multi_fields:
@@ -46,8 +47,9 @@
 
     - name: full
       level: extended
-      type: keyword
+      type: wildcard
       example: "Mac OS Mojave"
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Operating system name, including the version or code name.
       multi_fields:
diff --git a/schemas/pe.yml b/schemas/pe.yml
index 126fb16136..8a7e2ddaf8 100644
--- a/schemas/pe.yml
+++ b/schemas/pe.yml
@@ -13,7 +13,8 @@
   fields:
     - name: original_file_name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
 
diff --git a/schemas/process.yml b/schemas/process.yml
index 13ec63c07f..8c9661cebd 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -44,8 +44,9 @@
 
     - name: name
       level: extended
-      type: keyword
+      type: wildcard
       short: Process name.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Process name.
 
@@ -72,8 +73,9 @@
 
     - name: command_line
       level: extended
-      type: keyword
+      type: wildcard
       short: Full command line that started the process.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Full command line that started the process, including the absolute path
         to the executable, and all arguments.
@@ -110,7 +112,8 @@
 
     - name: executable
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Absolute path to the process executable.
       example: /usr/bin/ssh
@@ -120,8 +123,9 @@
 
     - name: title
       level: extended
-      type: keyword
+      type: wildcard
       short: Process title.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Process title.
 
@@ -141,7 +145,8 @@
 
     - name: thread.name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       example: 'thread-0'
       description: >
         Thread name.
@@ -162,8 +167,9 @@
 
     - name: working_directory
       level: extended
-      type: keyword
+      type: wildcard
       example: /home/alice
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The working directory of the process.
       multi_fields:
diff --git a/schemas/registry.yml b/schemas/registry.yml
index bf8670d84e..576727087e 100644
--- a/schemas/registry.yml
+++ b/schemas/registry.yml
@@ -14,7 +14,8 @@
 
     - name: key
       level: core
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
 
@@ -26,7 +27,8 @@
 
     - name: path
       level: core
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
 
@@ -38,8 +40,9 @@
 
     - name: data.strings
       level: core
-      type: keyword
+      type: wildcard
       short: List of strings representing what was written to the registry.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       example: '["C:\rta\red_ttp\bin\myapp.exe"]'
       description: >
         Content when writing string types.
diff --git a/schemas/server.yml b/schemas/server.yml
index 867b3bd03c..b8d6924696 100644
--- a/schemas/server.yml
+++ b/schemas/server.yml
@@ -53,13 +53,15 @@
 
     - name: domain
       level: core
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Server domain.
 
     - name: registered_domain
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       short: The highest registered server domain, stripped of the subdomain.
       description: >
         The highest registered server domain, stripped of the subdomain.
diff --git a/schemas/source.yml b/schemas/source.yml
index 268b975312..581d5c062b 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -48,14 +48,16 @@
 
     - name: domain
       level: core
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Source domain.
 
     - name: registered_domain
       level: extended
-      type: keyword
+      type: wildcard
       short: The highest registered source domain, stripped of the subdomain.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The highest registered source domain, stripped of the subdomain.
 
diff --git a/schemas/tls.yml b/schemas/tls.yml
index 3ecacb041a..781aafb66e 100644
--- a/schemas/tls.yml
+++ b/schemas/tls.yml
@@ -78,14 +78,16 @@
         - array
 
     - name: client.subject
-      type: keyword
+      type: wildcard
       level: extended
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Distinguished name of subject of the x.509 certificate presented by the client.
       example: "CN=myclient, OU=Documentation Team, DC=example, DC=com"
 
     - name: client.issuer
-      type: keyword
+      type: wildcard
       level: extended
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
       example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"
 
@@ -157,14 +159,16 @@
       example: 394441ab65754e2207b1e1b457b3641d
 
     - name: server.subject
-      type: keyword
+      type: wildcard
       level: extended
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Subject of the x.509 certificate presented by the server.
       example: "CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com"
 
     - name: server.issuer
-      type: keyword
+      type: wildcard
       level: extended
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Subject of the issuer of the x.509 certificate presented by the server.
       example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"
 
diff --git a/schemas/url.yml b/schemas/url.yml
index 88a0278891..a264e59395 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -10,7 +10,8 @@
 
     - name: original
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       short: Unmodified original url as seen in the event source.
       description: >
         Unmodified original url as seen in the event source.
@@ -28,8 +29,9 @@
 
     - name: full
       level: extended
-      type: keyword
+      type: wildcard
       short: Full unparsed URL.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         If full URLs are important to your use case, they should be stored in
         `url.full`, whether this field is reconstructed or present in the
@@ -51,8 +53,9 @@
 
     - name: domain
       level: extended
-      type: keyword
+      type: wildcard
       short: Domain of the url.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Domain of the url, such as "www.elastic.co".
 
@@ -65,8 +68,9 @@
 
     - name: registered_domain
       level: extended
-      type: keyword
+      type: wildcard
       short: The highest registered url domain, stripped of the subdomain.
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The highest registered url domain, stripped of the subdomain.
 
@@ -116,7 +120,8 @@
 
     - name: path
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Path of the request, such as "/search".
 
diff --git a/schemas/user.yml b/schemas/user.yml
index 0fe7a32411..6e010627cf 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -48,8 +48,9 @@
 
     - name: name
       level: core
-      type: keyword
+      type: wildcard
       example: albert
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Short name or login of the user.
       multi_fields:
@@ -58,7 +59,8 @@
 
     - name: full_name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       example: Albert Einstein
       description: >
         User's full name, if available.
@@ -68,7 +70,8 @@
 
     - name: email
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         User email address.
 
diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml
index 9c18c20827..84388859cf 100644
--- a/schemas/user_agent.yml
+++ b/schemas/user_agent.yml
@@ -12,7 +12,8 @@
 
     - name: original
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       multi_fields:
       - type: text
         name: text
diff --git a/schemas/x509.yml b/schemas/x509.yml
index 124551c96c..a36e8a91a1 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -37,7 +37,8 @@
 
     - name: issuer.distinguished_name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
 
@@ -113,7 +114,8 @@
 
     - name: subject.distinguished_name
       level: extended
-      type: keyword
+      type: wildcard
+      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
 
diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md
index dff825a597..15e2935a61 100644
--- a/use-cases/auditbeat.md
+++ b/use-cases/auditbeat.md
@@ -9,8 +9,8 @@ ECS usage in Auditbeat.
 |---|---|---|---|---|
 | [event.module](../README.md#event.module)  | Auditbeat module name. | core | keyword | `apache` |
 | <a name="file.&ast;"></a>*file.&ast;* | *File attributes.<br/>* |  |  |  |
-| [file.path](../README.md#file.path)  | The path to the file. | extended | keyword | `/home/alice/example.png` |
-| [file.target_path](../README.md#file.target_path)  | The target path for symlinks. | extended | keyword |  |
+| [file.path](../README.md#file.path)  | The path to the file. | extended | wildcard | `/home/alice/example.png` |
+| [file.target_path](../README.md#file.target_path)  | The target path for symlinks. | extended | wildcard |  |
 | [file.type](../README.md#file.type)  | The file type (file, dir, or symlink). | extended | keyword | `file` |
 | [file.device](../README.md#file.device)  | The device. | extended | keyword | `sda` |
 | [file.inode](../README.md#file.inode)  | The inode representing the file in the filesystem. | extended | keyword | `256383` |
diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md
index a9ef41840f..293c2fb190 100644
--- a/use-cases/filebeat-apache-access.md
+++ b/use-cases/filebeat-apache-access.md
@@ -13,7 +13,7 @@ ECS fields used in Filebeat for the apache module.
 | [event.module](../README.md#event.module)  | Currently fileset.module | core | keyword | `apache` |
 | [event.dataset](../README.md#event.dataset)  | Currenly fileset.name | core | keyword | `access` |
 | [source.ip](../README.md#source.ip)  | Source ip of the request. Currently apache.access.remote_ip | core | ip | `192.168.1.1` |
-| [user.name](../README.md#user.name)  | User name in the request. Currently apache.access.user_name | core | keyword | `ruflin` |
+| [user.name](../README.md#user.name)  | User name in the request. Currently apache.access.user_name | core | wildcard | `ruflin` |
 | <a name="http.method"></a>*http.method* | *Http method, currently apache.access.method* | (use case) | keyword | `GET` |
 | <a name="http.url"></a>*http.url* | *Http url, currently apache.access.url* | (use case) | keyword | `http://elastic.co/` |
 | [http.version](../README.md#http.version)  | Http version, currently apache.access.http_version | extended | keyword | `1.1` |
@@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module.
 | <a name="http.response.body_sent.bytes"></a>*http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` |
 | <a name="http.referer"></a>*http.referer* | *Http referrer code, currently apache.access.referrer<br/>NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *User agent fields as in schema. Currently under apache.access.user_agent.*<br/>* |  |  |  |
-| [user_agent.original](../README.md#user_agent.original)  | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` |
+| [user_agent.original](../README.md#user_agent.original)  | Original user agent. Currently apache.access.agent | extended | wildcard | `http://elastic.co/` |
 | <a name="geoip.&ast;"></a>*geoip.&ast;* | *User agent fields as in schema. Currently under apache.access.geoip.*<br/>These are extracted from source.ip<br/>Should they be under source.geoip?<br/>* |  |  |  |
 | <a name="geoip...."></a>*geoip....* | *All geoip fields.* | (use case) | keyword |  |
 
diff --git a/use-cases/kubernetes.md b/use-cases/kubernetes.md
index 5588da6060..057ed289cb 100644
--- a/use-cases/kubernetes.md
+++ b/use-cases/kubernetes.md
@@ -10,7 +10,7 @@ You can monitor containers running in a Kubernetes cluster by adding Kubernetes-
 |---|---|---|---|---|
 | [container.id](../README.md#container.id)  | Unique container id. | core | keyword | `fdbef803fa2b` |
 | [container.name](../README.md#container.name)  | Container name. | extended | keyword |  |
-| [host.hostname](../README.md#host.hostname)  | Hostname of the host.<br/>It normally contains what the `hostname` command returns on the host machine. | core | keyword | `kube-high-cpu-42` |
+| [host.hostname](../README.md#host.hostname)  | Hostname of the host.<br/>It normally contains what the `hostname` command returns on the host machine. | core | wildcard | `kube-high-cpu-42` |
 | <a name="kubernetes.pod.name"></a>*kubernetes.pod.name* | *Kubernetes pod name* | (use case) | keyword | `foo-webserver` |
 | <a name="kubernetes.namespace"></a>*kubernetes.namespace* | *Kubernetes namespace* | (use case) | keyword | `foo-team` |
 | <a name="kubernetes.labels"></a>*kubernetes.labels* | *Kubernetes labels map* | (use case) | object |  |
diff --git a/use-cases/metricbeat.md b/use-cases/metricbeat.md
index c573a7897e..79b3369efd 100644
--- a/use-cases/metricbeat.md
+++ b/use-cases/metricbeat.md
@@ -21,7 +21,7 @@ ECS fields used Metricbeat.
 | <a name="error.&ast;"></a>*error.&ast;* | *Error namespace<br/>Use for errors which can happen during fetching information for a service.<br/>* |  |  |  |
 | [error.message](../README.md#error.message)  | Error message returned by the service during fetching metrics. | core | text |  |
 | [error.code](../README.md#error.code)  | Error code returned by the service during fetching metrics. | core | keyword |  |
-| [host.hostname](../README.md#host.hostname)  | Hostname of the system metricbeat is running on or user defined name. | core | keyword |  |
+| [host.hostname](../README.md#host.hostname)  | Hostname of the system metricbeat is running on or user defined name. | core | wildcard |  |
 | <a name="host.timezone.offset.sec"></a>*host.timezone.offset.sec* | *Timezone offset of the host in seconds.* | (use case) | long |  |
 | [host.id](../README.md#host.id)  | Unique host id. | core | keyword |  |
 | [event.module](../README.md#event.module)  | Name of the module this data is coming from. | core | keyword | `mysql` |
diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md
index 57f9a96062..d70944b48c 100644
--- a/use-cases/web-logs.md
+++ b/use-cases/web-logs.md
@@ -12,12 +12,12 @@ Using the fields as represented here is not expected to conflict with ECS, but m
 | [@timestamp](../README.md#@timestamp)  | Time at which the response was sent, and the web server log created. | core | date | `2016-05-23T08:05:34.853Z` |
 | <a name="http.&ast;"></a>*http.&ast;* | *Fields related to HTTP requests and responses.<br/>* |  |  |  |
 | [http.request.method](../README.md#http.request.method)  | Http request method. | extended | keyword | `GET, POST, PUT` |
-| [http.request.referrer](../README.md#http.request.referrer)  | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` |
+| [http.request.referrer](../README.md#http.request.referrer)  | Referrer for this HTTP request. | extended | wildcard | `https://blog.example.com/` |
 | [http.response.status_code](../README.md#http.response.status_code)  | Http response status code. | extended | long | `404` |
-| [http.response.body.content](../README.md#http.response.body.content)  | The full http response body. | extended | keyword | `Hello world` |
+| [http.response.body.content](../README.md#http.response.body.content)  | The full http response body. | extended | wildcard | `Hello world` |
 | [http.version](../README.md#http.version)  | Http version. | extended | keyword | `1.1` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.<br/>* |  |  |  |
-| [user_agent.original](../README.md#user_agent.original)  | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` |
+| [user_agent.original](../README.md#user_agent.original)  | Unparsed version of the user_agent. | extended | wildcard | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` |
 | <a name="user_agent.device"></a>*user_agent.device* | *Name of the physical device.* | (use case) | keyword |  |
 | [user_agent.version](../README.md#user_agent.version)  | Version of the physical device. | extended | keyword | `12.0` |
 | <a name="user_agent.major"></a>*user_agent.major* | *Major version of the user agent.* | (use case) | long |  |

From 78573516a15cd183d35727a85bdca71ce57ed553 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 14 Dec 2020 13:48:24 -0600
Subject: [PATCH 60/90] [1.x] Conditional handling in
 es_template.template_settings (#1191) (#1192)

---
 scripts/generators/es_template.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py
index fb45800dce..386fd6e49b 100644
--- a/scripts/generators/es_template.py
+++ b/scripts/generators/es_template.py
@@ -198,17 +198,23 @@ def template_settings(es_version, ecs_version, mappings_section, template_settin
         es6_type_fallback(mappings_section['properties'])
 
         # error.stack_trace needs special handling to set
-        # index: false and doc_values: false
-        error_stack_trace_mappings = mappings_section['properties']['error']['properties']['stack_trace']
-        error_stack_trace_mappings.setdefault('index', False)
-        error_stack_trace_mappings.setdefault('doc_values', False)
+        # index: false and doc_values: false if the field
+        # is present in the mappings
+        try:
+            error_stack_trace_mappings = mappings_section['properties']['error']['properties']['stack_trace']
+            error_stack_trace_mappings.setdefault('index', False)
+            error_stack_trace_mappings.setdefault('doc_values', False)
+        except KeyError:
+            pass
 
         template['mappings'] = {'_doc': mappings_section}
     else:
         template['mappings'] = mappings_section
 
     # _meta can't be at template root in legacy templates, so moving back to mappings section
-    mappings_section['_meta'] = template.pop('_meta')
+    # if present
+    if '_meta' in template:
+        mappings_section['_meta'] = template.pop('_meta')
 
     return template
 

From e2fef1be074de13970c9d8a2dafcf30b15cc4368 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 15 Dec 2020 13:17:49 -0600
Subject: [PATCH 61/90] [1.x] Artifacts docs page (#1189) (#1195)

---
 CHANGELOG.next.md               | 1 +
 docs/additional.asciidoc        | 2 ++
 docs/artifacts.asciidoc         | 6 ++++++
 docs/index.asciidoc             | 2 ++
 docs/using-conventions.asciidoc | 2 +-
 5 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 docs/artifacts.asciidoc

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 8ca8f9e915..265e88ebf8 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -53,6 +53,7 @@ Thanks, you're awesome :-) -->
 * Added a notice highlighting that the `tracing` fields are not nested under the
   namespace `tracing.` #1162
 * ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
+* Add a documentation page discussing the experimental artifacts. #1189
 
 #### Deprecated
 
diff --git a/docs/additional.asciidoc b/docs/additional.asciidoc
index d42bcfbeec..f6796174d8 100644
--- a/docs/additional.asciidoc
+++ b/docs/additional.asciidoc
@@ -4,8 +4,10 @@
 * <<ecs-faq>>
 * <<ecs-glossary>>
 * <<ecs-contributing>>
+* <<ecs-artifacts>>
 
 // include::use-cases.asciidoc[]
 include::faq.asciidoc[]
 include::glossary.asciidoc[]
 include::contributing.asciidoc[]
+include::artifacts.asciidoc[]
diff --git a/docs/artifacts.asciidoc b/docs/artifacts.asciidoc
new file mode 100644
index 0000000000..77df53de17
--- /dev/null
+++ b/docs/artifacts.asciidoc
@@ -0,0 +1,6 @@
+[[ecs-artifacts]]
+=== Generated Artifacts
+
+ECS maintains a collection of artifacts which are generated based on the schema. Examples include Elasticsearch index templates, CSV, and Beats field mappings. The maintained artifacts can be found in the {ecs_github_repo_link}/generated#artifacts-generated-from-ecs[ECS Github repo].
+
+Users can generate custom versions of these artifacts using the ECS project's tooling. See the tooling {ecs_github_repo_link}/USAGE.md[usage documentation] for more detail.
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 198abfce07..8141abcec7 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -5,6 +5,8 @@
 include::{asciidoc-dir}/../../shared/versions/stack/current.asciidoc[]
 include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 
+:ecs_github_repo_link: https://github.com/elastic/ecs/blob/master
+
 [[ecs-reference]]
 == Overview
 
diff --git a/docs/using-conventions.asciidoc b/docs/using-conventions.asciidoc
index 2972a0df68..f321b26765 100644
--- a/docs/using-conventions.asciidoc
+++ b/docs/using-conventions.asciidoc
@@ -42,7 +42,7 @@ Elasticsearch can index text using datatypes:
 ===== Default Elasticsearch convention for indexing text fields
 
 Unless your index mapping or index template specifies otherwise
-(as the ECS index template does),
+(as the <<ecs-artifacts, ECS index template>> does),
 Elasticsearch indexes a text field as `text` at the canonical field name,
 and indexes a second time as `keyword`, nested in a multi-field.
 

From 82adfee1dc016927c4e8a7e9a7bd4da02f090fb7 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 15 Dec 2020 13:29:58 -0600
Subject: [PATCH 62/90] [1.x] Remove beta warning label from categorization
 fields docs (#1067) (#1196)

---
 CHANGELOG.next.md                 |  1 +
 docs/field-values.asciidoc        | 27 ---------------------------
 scripts/templates/field_values.j2 | 12 ------------
 3 files changed, 1 insertion(+), 39 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 265e88ebf8..e314547d31 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -24,6 +24,7 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Event categorization fields GA. #1067
 * Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131
 
 #### Deprecated
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 6f3adc1c26..2ff082fd3f 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -2,13 +2,6 @@
 [[ecs-category-field-values-reference]]
 == {ecs} Categorization Fields
 
-WARNING: This section of ECS is in beta and is subject to change. These allowed values
-are still under active development. Additional values will be published gradually,
-and some of the values or relationships described here may change.
-Users who want to provide feedback, or who want to have a look at
-upcoming allowed values can visit this public feedback document
-https://ela.st/ecs-categories-draft.
-
 At a high level, ECS provides fields to classify events in two different ways:
 "Where it's from" (e.g., `event.module`, `event.dataset`, `agent.type`, `observer.type`, etc.),
 and "What it is." The categorization fields hold the "What it is" information,
@@ -38,11 +31,6 @@ This is one of four ECS Categorization Fields, and indicates the highest level i
 
 The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
 
-WARNING: After the beta period for categorization, only the allowed categorization
-values listed in the ECS repository and official ECS documentation should be considered
-official. Use of any other values may result in incompatible implementations
-that will require subsequent breaking changes.
-
 *Allowed Values*
 
 * <<ecs-event-kind-alert,alert>>
@@ -125,11 +113,6 @@ This is one of four ECS Categorization Fields, and indicates the second level in
 
 This field is an array. This will allow proper categorization of some events that fall in multiple categories.
 
-WARNING: After the beta period for categorization, only the allowed categorization
-values listed in the ECS repository and official ECS documentation should be considered
-official. Use of any other values may result in incompatible implementations
-that will require subsequent breaking changes.
-
 *Allowed Values*
 
 * <<ecs-event-category-authentication,authentication>>
@@ -345,11 +328,6 @@ This is one of four ECS Categorization Fields, and indicates the third level in
 
 This field is an array. This will allow proper categorization of some events that fall in multiple event types.
 
-WARNING: After the beta period for categorization, only the allowed categorization
-values listed in the ECS repository and official ECS documentation should be considered
-official. Use of any other values may result in incompatible implementations
-that will require subsequent breaking changes.
-
 *Allowed Values*
 
 * <<ecs-event-type-access,access>>
@@ -510,11 +488,6 @@ Also note that in the case of a compound event (a single event that contains mul
 
 Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
 
-WARNING: After the beta period for categorization, only the allowed categorization
-values listed in the ECS repository and official ECS documentation should be considered
-official. Use of any other values may result in incompatible implementations
-that will require subsequent breaking changes.
-
 *Allowed Values*
 
 * <<ecs-event-outcome-failure,failure>>
diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2
index 1ee2ab9890..4789c00e09 100644
--- a/scripts/templates/field_values.j2
+++ b/scripts/templates/field_values.j2
@@ -2,13 +2,6 @@
 [[ecs-category-field-values-reference]]
 == {ecs} Categorization Fields
 
-WARNING: This section of ECS is in beta and is subject to change. These allowed values
-are still under active development. Additional values will be published gradually,
-and some of the values or relationships described here may change.
-Users who want to provide feedback, or who want to have a look at
-upcoming allowed values can visit this public feedback document
-https://ela.st/ecs-categories-draft.
-
 At a high level, ECS provides fields to classify events in two different ways:
 "Where it's from" (e.g., `event.module`, `event.dataset`, `agent.type`, `observer.type`, etc.),
 and "What it is." The categorization fields hold the "What it is" information,
@@ -34,11 +27,6 @@ once the appropriate categorization values are published, in a later release.
 
 {{ field['description']|replace("\n", "\n\n") }}
 
-WARNING: After the beta period for categorization, only the allowed categorization
-values listed in the ECS repository and official ECS documentation should be considered
-official. Use of any other values may result in incompatible implementations
-that will require subsequent breaking changes.
-
 *Allowed Values*
 {% for value_details in field['allowed_values'] %}
 * <<ecs-{{ field['dashed_name'] }}-{{ value_details['name'] }},{{ value_details['name'] }}>>

From 2ae684e2762b1aa8022c597d53021cb4f7c2fcfe Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 15 Dec 2020 13:42:54 -0600
Subject: [PATCH 63/90] [1.x] Correct wording of `event.reference` description
 (#1181) (#1197)

---
 CHANGELOG.next.md                           | 2 ++
 code/go/ecs/event.go                        | 2 +-
 docs/field-details.asciidoc                 | 2 +-
 experimental/generated/beats/fields.ecs.yml | 2 +-
 experimental/generated/ecs/ecs_flat.yml     | 4 ++--
 experimental/generated/ecs/ecs_nested.yml   | 2 +-
 generated/beats/fields.ecs.yml              | 2 +-
 generated/ecs/ecs_flat.yml                  | 4 ++--
 generated/ecs/ecs_nested.yml                | 2 +-
 schemas/event.yml                           | 2 +-
 10 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index e314547d31..d85ec4c97a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -14,6 +14,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
+* Clean up `event.reference` description. #1181
+
 #### Added
 
 * Added `event.category` "registry". #1040
diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go
index 1dfdf696c4..4cced17b76 100644
--- a/code/go/ecs/event.go
+++ b/code/go/ecs/event.go
@@ -199,7 +199,7 @@ type Event struct {
 	Ingested time.Time `ecs:"ingested"`
 
 	// Reference URL linking to additional information about this event.
-	// This URL links to a static definition of the this event. Alert events,
+	// This URL links to a static definition of this event. Alert events,
 	// indicated by `event.kind:alert`, are a common use case for this field.
 	Reference string `ecs:"reference"`
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 90fec37b2b..73bc4467d3 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -2164,7 +2164,7 @@ example: `Terminated an unexpected process`
 
 | Reference URL linking to additional information about this event.
 
-This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
 
 type: keyword
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 9a58688014..3d103d3883 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1392,7 +1392,7 @@
       ignore_above: 1024
       description: 'Reference URL linking to additional information about this event.
 
-        This URL links to a static definition of the this event. Alert events, indicated
+        This URL links to a static definition of this event. Alert events, indicated
         by `event.kind:alert`, are a common use case for this field.'
       example: https://system.example.com/event/#0001234
       default_field: false
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 8997fffccf..f98d8b95ce 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -2183,8 +2183,8 @@ event.reference:
   dashed_name: event-reference
   description: 'Reference URL linking to additional information about this event.
 
-    This URL links to a static definition of the this event. Alert events, indicated
-    by `event.kind:alert`, are a common use case for this field.'
+    This URL links to a static definition of this event. Alert events, indicated by
+    `event.kind:alert`, are a common use case for this field.'
   example: https://system.example.com/event/#0001234
   flat_name: event.reference
   ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 6d1a832021..97acbc2459 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2587,7 +2587,7 @@ event:
       dashed_name: event-reference
       description: 'Reference URL linking to additional information about this event.
 
-        This URL links to a static definition of the this event. Alert events, indicated
+        This URL links to a static definition of this event. Alert events, indicated
         by `event.kind:alert`, are a common use case for this field.'
       example: https://system.example.com/event/#0001234
       flat_name: event.reference
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index d7bb24c1bd..1f06a65a1a 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1392,7 +1392,7 @@
       ignore_above: 1024
       description: 'Reference URL linking to additional information about this event.
 
-        This URL links to a static definition of the this event. Alert events, indicated
+        This URL links to a static definition of this event. Alert events, indicated
         by `event.kind:alert`, are a common use case for this field.'
       example: https://system.example.com/event/#0001234
       default_field: false
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 0c6e8374cf..7e7347eba8 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -2183,8 +2183,8 @@ event.reference:
   dashed_name: event-reference
   description: 'Reference URL linking to additional information about this event.
 
-    This URL links to a static definition of the this event. Alert events, indicated
-    by `event.kind:alert`, are a common use case for this field.'
+    This URL links to a static definition of this event. Alert events, indicated by
+    `event.kind:alert`, are a common use case for this field.'
   example: https://system.example.com/event/#0001234
   flat_name: event.reference
   ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 50c4915485..47cd8526ef 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2587,7 +2587,7 @@ event:
       dashed_name: event-reference
       description: 'Reference URL linking to additional information about this event.
 
-        This URL links to a static definition of the this event. Alert events, indicated
+        This URL links to a static definition of this event. Alert events, indicated
         by `event.kind:alert`, are a common use case for this field.'
       example: https://system.example.com/event/#0001234
       flat_name: event.reference
diff --git a/schemas/event.yml b/schemas/event.yml
index 0edbf6b8de..3e4aaf4627 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -714,7 +714,7 @@
       description: >
         Reference URL linking to additional information about this event.
 
-        This URL links to a static definition of the this event.
+        This URL links to a static definition of this event.
         Alert events, indicated by `event.kind:alert`, are a common use case for this field.
 
       example: "https://system.example.com/event/#0001234"

From cd6778c22be879ca14d50a2e75772a54aa70e519 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 15 Dec 2020 15:34:07 -0600
Subject: [PATCH 64/90] Bump version to 1.9.0-dev in branch 1.x (#1198)

---
 code/go/ecs/version.go                        |    2 +-
 docs/fields.asciidoc                          |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 1460 ++++++++---------
 .../generated/elasticsearch/7/template.json   |    2 +-
 .../elasticsearch/component/agent.json        |    2 +-
 .../elasticsearch/component/base.json         |    2 +-
 .../elasticsearch/component/client.json       |    2 +-
 .../elasticsearch/component/cloud.json        |    2 +-
 .../elasticsearch/component/container.json    |    2 +-
 .../elasticsearch/component/destination.json  |    2 +-
 .../elasticsearch/component/dll.json          |    2 +-
 .../elasticsearch/component/dns.json          |    2 +-
 .../elasticsearch/component/ecs.json          |    2 +-
 .../elasticsearch/component/error.json        |    2 +-
 .../elasticsearch/component/event.json        |    2 +-
 .../elasticsearch/component/file.json         |    2 +-
 .../elasticsearch/component/group.json        |    2 +-
 .../elasticsearch/component/host.json         |    2 +-
 .../elasticsearch/component/http.json         |    2 +-
 .../elasticsearch/component/log.json          |    2 +-
 .../elasticsearch/component/network.json      |    2 +-
 .../elasticsearch/component/observer.json     |    2 +-
 .../elasticsearch/component/organization.json |    2 +-
 .../elasticsearch/component/package.json      |    2 +-
 .../elasticsearch/component/process.json      |    2 +-
 .../elasticsearch/component/registry.json     |    2 +-
 .../elasticsearch/component/related.json      |    2 +-
 .../elasticsearch/component/rule.json         |    2 +-
 .../elasticsearch/component/server.json       |    2 +-
 .../elasticsearch/component/service.json      |    2 +-
 .../elasticsearch/component/source.json       |    2 +-
 .../elasticsearch/component/threat.json       |    2 +-
 .../elasticsearch/component/tls.json          |    2 +-
 .../elasticsearch/component/tracing.json      |    2 +-
 .../elasticsearch/component/url.json          |    2 +-
 .../elasticsearch/component/user.json         |    2 +-
 .../elasticsearch/component/user_agent.json   |    2 +-
 .../component/vulnerability.json              |    2 +-
 .../generated/elasticsearch/template.json     |   70 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 1446 ++++++++--------
 generated/elasticsearch/6/template.json       |    2 +-
 generated/elasticsearch/7/template.json       |    2 +-
 generated/elasticsearch/component/agent.json  |    2 +-
 generated/elasticsearch/component/base.json   |    2 +-
 generated/elasticsearch/component/client.json |    2 +-
 generated/elasticsearch/component/cloud.json  |    2 +-
 .../elasticsearch/component/container.json    |    2 +-
 .../elasticsearch/component/destination.json  |    2 +-
 generated/elasticsearch/component/dll.json    |    2 +-
 generated/elasticsearch/component/dns.json    |    2 +-
 generated/elasticsearch/component/ecs.json    |    2 +-
 generated/elasticsearch/component/error.json  |    2 +-
 generated/elasticsearch/component/event.json  |    2 +-
 generated/elasticsearch/component/file.json   |    2 +-
 generated/elasticsearch/component/group.json  |    2 +-
 generated/elasticsearch/component/host.json   |    2 +-
 generated/elasticsearch/component/http.json   |    2 +-
 generated/elasticsearch/component/log.json    |    2 +-
 .../elasticsearch/component/network.json      |    2 +-
 .../elasticsearch/component/observer.json     |    2 +-
 .../elasticsearch/component/organization.json |    2 +-
 .../elasticsearch/component/package.json      |    2 +-
 .../elasticsearch/component/process.json      |    2 +-
 .../elasticsearch/component/registry.json     |    2 +-
 .../elasticsearch/component/related.json      |    2 +-
 generated/elasticsearch/component/rule.json   |    2 +-
 generated/elasticsearch/component/server.json |    2 +-
 .../elasticsearch/component/service.json      |    2 +-
 generated/elasticsearch/component/source.json |    2 +-
 generated/elasticsearch/component/threat.json |    2 +-
 generated/elasticsearch/component/tls.json    |    2 +-
 .../elasticsearch/component/tracing.json      |    2 +-
 generated/elasticsearch/component/url.json    |    2 +-
 generated/elasticsearch/component/user.json   |    2 +-
 .../elasticsearch/component/user_agent.json   |    2 +-
 .../component/vulnerability.json              |    2 +-
 generated/elasticsearch/template.json         |   70 +-
 version                                       |    2 +-
 81 files changed, 1600 insertions(+), 1600 deletions(-)

diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go
index 0921192cae..6aba04736b 100644
--- a/code/go/ecs/version.go
+++ b/code/go/ecs/version.go
@@ -20,4 +20,4 @@
 package ecs
 
 // Version is the Elastic Common Schema version from which this was generated.
-const Version = "1.8.0-dev"
+const Version = "1.9.0-dev"
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
index bb07676dcb..3d6f8fa662 100644
--- a/docs/fields.asciidoc
+++ b/docs/fields.asciidoc
@@ -2,7 +2,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 1.8.0-dev.
+This is the documentation of ECS version 1.9.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 8141abcec7..58a21f5124 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -10,7 +10,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 1.8.0-dev.
+This is the documentation of ECS version 1.9.0-dev.
 
 [float]
 === What is ECS?
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 3d103d3883..02da5c2ee4 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.8.0-dev+exp.
+# based on ECS version 1.9.0-dev+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 1912a88568..b5efd516c7 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,731 +1,731 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.8.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.8.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.8.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.8.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.8.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.8.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.8.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.8.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.8.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.8.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.8.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-1.8.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.8.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain.
-1.8.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-1.8.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client.
-1.8.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.8.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-1.8.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.8.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-1.8.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.8.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.8.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.8.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.8.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.8.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.8.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.8.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.8.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.8.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.8.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.8.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-1.8.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.8.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.8.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-1.8.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-1.8.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.8.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.8.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.8.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain.
-1.8.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.8.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
-1.8.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.8.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.8.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.8.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-1.8.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.8.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.8.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.8.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.8.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.8.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
-1.8.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.8.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.8.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.8.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.8.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.8.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.8.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.8.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
-1.8.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.8.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.8.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.8.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.8.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.8.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.8.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.8.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-1.8.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.8.0-dev+exp,true,error,error.message,text,core,,,Error message.
-1.8.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-1.8.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.8.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.8.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.8.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.8.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.8.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.8.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.8.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.8.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.8.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.8.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.8.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.8.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.8.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.8.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.8.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.8.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.8.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.8.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.8.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.8.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.8.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.8.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.8.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.8.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.8.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.8.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.8.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.8.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.8.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-1.8.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.8.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.8.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
-1.8.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.8.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-1.8.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.8.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.8.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.8.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.8.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.8.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.8.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.8.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.8.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.8.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.8.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-1.8.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
-1.8.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.8.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.8.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.8.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-1.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-1.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
-1.8.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses.
-1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-1.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-1.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-1.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-1.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-1.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.8.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.8.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-1.8.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.8.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.8.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.8.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.8.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.8.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.8.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-1.8.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.8.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.8.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.8.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.8.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.8.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.8.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.8.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.8.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.8.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.8.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.8.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.8.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-1.8.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.8.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.8.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.8.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.8.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.8.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.8.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.8.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.8.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.8.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.8.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.8.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.8.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.8.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.8.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.8.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.8.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.8.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.8.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.8.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.8.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.8.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.8.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.8.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.8.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.8.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.8.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.8.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.8.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.8.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
-1.8.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.8.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.8.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.8.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.8.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-1.8.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.8.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name.
-1.8.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name.
-1.8.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.8.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.8.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.8.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.8.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.8.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-1.8.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.8.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-1.8.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.8.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.8.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.8.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-1.8.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.8.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.8.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.8.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.8.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name.
-1.8.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name.
-1.8.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.8.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.8.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.8.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
-1.8.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.8.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.8.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-1.8.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.8.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.8.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
-1.8.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title.
-1.8.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title.
-1.8.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.8.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.8.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.8.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-1.8.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.8.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.8.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
-1.8.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title.
-1.8.0-dev+exp,true,process,process.title.text,text,extended,,,Process title.
-1.8.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.8.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.8.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.8.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.8.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.8.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.8.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.8.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.8.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.8.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.8.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.8.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.8.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.8.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.8.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.8.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.8.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.8.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.8.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.8.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.8.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.8.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.8.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.8.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-1.8.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.8.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain.
-1.8.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-1.8.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server.
-1.8.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.8.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-1.8.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.8.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-1.8.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.8.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.8.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.8.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.8.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.8.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-1.8.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.8.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.8.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-1.8.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.8.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain.
-1.8.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-1.8.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source.
-1.8.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.8.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-1.8.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.8.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-1.8.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.8.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.8.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.8.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.8.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.8.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.8.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.8.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.8.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.8.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.8.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.8.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.8.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.8.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.8.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.8.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.8.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.8.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.8.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.8.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.8.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.8.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.8.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.8.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.8.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.8.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.8.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.8.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.8.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.8.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.8.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.8.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
-1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-1.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.8.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.8.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-1.8.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-1.8.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.8.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-1.8.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.8.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.8.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-1.8.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address.
-1.8.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.8.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.8.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.8.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.8.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.8.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.8.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.8.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.8.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.8.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.8.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.8.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.9.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.9.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.9.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.9.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.9.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.9.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.9.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.9.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.9.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.9.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.9.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
+1.9.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.9.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain.
+1.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
+1.9.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+1.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.9.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
+1.9.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.9.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.9.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.9.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.9.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.9.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.9.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.9.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
+1.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
+1.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
+1.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.9.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.9.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
+1.9.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.9.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.9.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.9.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.9.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.9.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.9.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.9.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.9.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.9.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.9.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.9.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.9.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.9.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.9.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.9.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.9.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.9.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+1.9.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.9.0-dev+exp,true,error,error.message,text,core,,,Error message.
+1.9.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.9.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.9.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.9.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.9.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.9.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.9.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.9.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.9.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.9.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.9.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.9.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.9.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.9.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.9.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.9.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.9.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.9.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.9.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.9.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.9.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.9.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.9.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.9.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.9.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.9.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.9.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.9.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
+1.9.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.9.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.9.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.9.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.9.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.9.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.9.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.9.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.9.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.9.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+1.9.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+1.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+1.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
+1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.9.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
+1.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+1.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+1.9.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+1.9.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+1.9.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
+1.9.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.9.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.9.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.9.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.9.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.9.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.9.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.9.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.9.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.9.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.9.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.9.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.9.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.9.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.9.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.9.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.9.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.9.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.9.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.9.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+1.9.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.9.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.9.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.9.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.9.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.9.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.9.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.9.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.9.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.9.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.9.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.9.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.9.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.9.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.9.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.9.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.9.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.9.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.9.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.9.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.9.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.9.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.9.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.9.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.9.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
+1.9.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.9.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.9.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name.
+1.9.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.9.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.9.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.9.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.9.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.9.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+1.9.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.9.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
+1.9.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.9.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.9.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.9.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
+1.9.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.9.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name.
+1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.9.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.9.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
+1.9.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.9.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title.
+1.9.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
+1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.9.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
+1.9.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title.
+1.9.0-dev+exp,true,process,process.title.text,text,extended,,,Process title.
+1.9.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.9.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.9.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.9.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.9.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.9.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.9.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.9.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.9.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.9.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.9.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.9.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.9.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.9.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.9.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.9.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.9.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.9.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.9.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
+1.9.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.9.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain.
+1.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
+1.9.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+1.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.9.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
+1.9.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.9.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.9.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.9.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.9.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.9.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
+1.9.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.9.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.9.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
+1.9.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.9.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain.
+1.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
+1.9.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+1.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.9.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
+1.9.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.9.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.9.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.9.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.9.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.9.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.9.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.9.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.9.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.9.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.9.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.9.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.9.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.9.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.9.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.9.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.9.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.9.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.9.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.9.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.9.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.9.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.9.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.9.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.9.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.9.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.9.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.9.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.9.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.9.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.9.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.9.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.9.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.9.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.9.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.9.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.9.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.9.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.9.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.9.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.9.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+1.9.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.9.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
+1.9.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.9.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.9.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+1.9.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.9.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.9.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
+1.9.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address.
+1.9.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.9.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.9.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.9.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.9.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.9.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.9.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.9.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.9.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.9.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.9.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 0fe6ffed2b..029aa451f3 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.8.0-dev+exp"
+      "version": "1.9.0-dev+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json
index fb5c48723d..2ee628913a 100644
--- a/experimental/generated/elasticsearch/component/agent.json
+++ b/experimental/generated/elasticsearch/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json
index f99eeef699..d02df1ef01 100644
--- a/experimental/generated/elasticsearch/component/base.json
+++ b/experimental/generated/elasticsearch/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json
index 15ddc75390..bb1003070f 100644
--- a/experimental/generated/elasticsearch/component/client.json
+++ b/experimental/generated/elasticsearch/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json
index ff7311dafe..52f33efb8c 100644
--- a/experimental/generated/elasticsearch/component/cloud.json
+++ b/experimental/generated/elasticsearch/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json
index 8141acb5b2..f8c4f440af 100644
--- a/experimental/generated/elasticsearch/component/container.json
+++ b/experimental/generated/elasticsearch/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json
index 3b26ce3896..be3448e658 100644
--- a/experimental/generated/elasticsearch/component/destination.json
+++ b/experimental/generated/elasticsearch/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
index da68f2d771..7491296fa2 100644
--- a/experimental/generated/elasticsearch/component/dll.json
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json
index 5060df8227..4b1544f730 100644
--- a/experimental/generated/elasticsearch/component/dns.json
+++ b/experimental/generated/elasticsearch/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json
index 244cf87db4..201b6c8afa 100644
--- a/experimental/generated/elasticsearch/component/ecs.json
+++ b/experimental/generated/elasticsearch/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json
index 4423a3a84c..1a78f012f5 100644
--- a/experimental/generated/elasticsearch/component/error.json
+++ b/experimental/generated/elasticsearch/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json
index 42a982b4bf..023b3609e4 100644
--- a/experimental/generated/elasticsearch/component/event.json
+++ b/experimental/generated/elasticsearch/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index 5c1b4b6057..58379893c1 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json
index f310f5c103..af27bad40e 100644
--- a/experimental/generated/elasticsearch/component/group.json
+++ b/experimental/generated/elasticsearch/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json
index 72a4bf410b..f5645b0920 100644
--- a/experimental/generated/elasticsearch/component/host.json
+++ b/experimental/generated/elasticsearch/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json
index 5de0e679a7..b2284df25e 100644
--- a/experimental/generated/elasticsearch/component/http.json
+++ b/experimental/generated/elasticsearch/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json
index 81228a61ff..0781701d8e 100644
--- a/experimental/generated/elasticsearch/component/log.json
+++ b/experimental/generated/elasticsearch/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json
index c2730e72d0..e77b7b3980 100644
--- a/experimental/generated/elasticsearch/component/network.json
+++ b/experimental/generated/elasticsearch/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json
index ad34d29bbe..bc53052962 100644
--- a/experimental/generated/elasticsearch/component/observer.json
+++ b/experimental/generated/elasticsearch/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json
index 6af7d5ac6f..00a4d1a501 100644
--- a/experimental/generated/elasticsearch/component/organization.json
+++ b/experimental/generated/elasticsearch/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json
index af4633e8a4..12913eecc9 100644
--- a/experimental/generated/elasticsearch/component/package.json
+++ b/experimental/generated/elasticsearch/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index e082f76b26..9fad9bcc0c 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json
index 96ced2ea54..1eb688adec 100644
--- a/experimental/generated/elasticsearch/component/registry.json
+++ b/experimental/generated/elasticsearch/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json
index c1ab9d53bd..498b911430 100644
--- a/experimental/generated/elasticsearch/component/related.json
+++ b/experimental/generated/elasticsearch/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json
index b41de85270..c93278e7cd 100644
--- a/experimental/generated/elasticsearch/component/rule.json
+++ b/experimental/generated/elasticsearch/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json
index 088a8834c9..16cd5781f8 100644
--- a/experimental/generated/elasticsearch/component/server.json
+++ b/experimental/generated/elasticsearch/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json
index 406a1b6035..e4567b3636 100644
--- a/experimental/generated/elasticsearch/component/service.json
+++ b/experimental/generated/elasticsearch/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json
index 34b49ff5ac..43edaf2f09 100644
--- a/experimental/generated/elasticsearch/component/source.json
+++ b/experimental/generated/elasticsearch/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json
index fc11a704d4..1a7e47a34b 100644
--- a/experimental/generated/elasticsearch/component/threat.json
+++ b/experimental/generated/elasticsearch/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json
index b408cc9ef1..340e30449a 100644
--- a/experimental/generated/elasticsearch/component/tls.json
+++ b/experimental/generated/elasticsearch/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json
index 93d265526a..8efefe3463 100644
--- a/experimental/generated/elasticsearch/component/tracing.json
+++ b/experimental/generated/elasticsearch/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json
index 7c9d8e0f5b..29f8ee9338 100644
--- a/experimental/generated/elasticsearch/component/url.json
+++ b/experimental/generated/elasticsearch/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json
index b06e2205dd..85fa6d4f9e 100644
--- a/experimental/generated/elasticsearch/component/user.json
+++ b/experimental/generated/elasticsearch/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json
index 90d6220b01..a336ce44ed 100644
--- a/experimental/generated/elasticsearch/component/user_agent.json
+++ b/experimental/generated/elasticsearch/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json
index 9b1b6c0289..a287339ab1 100644
--- a/experimental/generated/elasticsearch/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json
index 44ea72094d..b8f252c020 100644
--- a/experimental/generated/elasticsearch/template.json
+++ b/experimental/generated/elasticsearch/template.json
@@ -1,43 +1,43 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "1.8.0-dev+exp"
+    "ecs_version": "1.9.0-dev+exp"
   },
   "composed_of": [
-    "ecs_1.8.0-dev-exp_agent",
-    "ecs_1.8.0-dev-exp_base",
-    "ecs_1.8.0-dev-exp_client",
-    "ecs_1.8.0-dev-exp_cloud",
-    "ecs_1.8.0-dev-exp_container",
-    "ecs_1.8.0-dev-exp_destination",
-    "ecs_1.8.0-dev-exp_dll",
-    "ecs_1.8.0-dev-exp_dns",
-    "ecs_1.8.0-dev-exp_ecs",
-    "ecs_1.8.0-dev-exp_error",
-    "ecs_1.8.0-dev-exp_event",
-    "ecs_1.8.0-dev-exp_file",
-    "ecs_1.8.0-dev-exp_group",
-    "ecs_1.8.0-dev-exp_host",
-    "ecs_1.8.0-dev-exp_http",
-    "ecs_1.8.0-dev-exp_log",
-    "ecs_1.8.0-dev-exp_network",
-    "ecs_1.8.0-dev-exp_observer",
-    "ecs_1.8.0-dev-exp_organization",
-    "ecs_1.8.0-dev-exp_package",
-    "ecs_1.8.0-dev-exp_process",
-    "ecs_1.8.0-dev-exp_registry",
-    "ecs_1.8.0-dev-exp_related",
-    "ecs_1.8.0-dev-exp_rule",
-    "ecs_1.8.0-dev-exp_server",
-    "ecs_1.8.0-dev-exp_service",
-    "ecs_1.8.0-dev-exp_source",
-    "ecs_1.8.0-dev-exp_threat",
-    "ecs_1.8.0-dev-exp_tls",
-    "ecs_1.8.0-dev-exp_tracing",
-    "ecs_1.8.0-dev-exp_url",
-    "ecs_1.8.0-dev-exp_user",
-    "ecs_1.8.0-dev-exp_user_agent",
-    "ecs_1.8.0-dev-exp_vulnerability"
+    "ecs_1.9.0-dev-exp_agent",
+    "ecs_1.9.0-dev-exp_base",
+    "ecs_1.9.0-dev-exp_client",
+    "ecs_1.9.0-dev-exp_cloud",
+    "ecs_1.9.0-dev-exp_container",
+    "ecs_1.9.0-dev-exp_destination",
+    "ecs_1.9.0-dev-exp_dll",
+    "ecs_1.9.0-dev-exp_dns",
+    "ecs_1.9.0-dev-exp_ecs",
+    "ecs_1.9.0-dev-exp_error",
+    "ecs_1.9.0-dev-exp_event",
+    "ecs_1.9.0-dev-exp_file",
+    "ecs_1.9.0-dev-exp_group",
+    "ecs_1.9.0-dev-exp_host",
+    "ecs_1.9.0-dev-exp_http",
+    "ecs_1.9.0-dev-exp_log",
+    "ecs_1.9.0-dev-exp_network",
+    "ecs_1.9.0-dev-exp_observer",
+    "ecs_1.9.0-dev-exp_organization",
+    "ecs_1.9.0-dev-exp_package",
+    "ecs_1.9.0-dev-exp_process",
+    "ecs_1.9.0-dev-exp_registry",
+    "ecs_1.9.0-dev-exp_related",
+    "ecs_1.9.0-dev-exp_rule",
+    "ecs_1.9.0-dev-exp_server",
+    "ecs_1.9.0-dev-exp_service",
+    "ecs_1.9.0-dev-exp_source",
+    "ecs_1.9.0-dev-exp_threat",
+    "ecs_1.9.0-dev-exp_tls",
+    "ecs_1.9.0-dev-exp_tracing",
+    "ecs_1.9.0-dev-exp_url",
+    "ecs_1.9.0-dev-exp_user",
+    "ecs_1.9.0-dev-exp_user_agent",
+    "ecs_1.9.0-dev-exp_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1f06a65a1a..55bf39366c 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.8.0-dev.
+# based on ECS version 1.9.0-dev.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 374aec3e21..87ca4a70d3 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,724 +1,724 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
-1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
-1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.8.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.8.0-dev,true,container,container.labels,object,extended,,,Image labels.
-1.8.0-dev,true,container,container.name,keyword,extended,,,Container name.
-1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
-1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
-1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
-1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
-1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.8.0-dev,true,error,error.message,text,core,,,Error message.
-1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,file,file.created,date,extended,,,File creation time.
-1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
-1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
-1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
-1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
-1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev,true,host,host.type,keyword,core,,,Type of host.
-1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
-1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
-1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
-1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name
-1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
-1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
-1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
-1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.8.0-dev,true,process,process.pid,long,core,,4242,Process id.
-1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
-1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title.
-1.8.0-dev,true,process,process.title.text,text,extended,,,Process title.
-1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
-1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
-1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.8.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
-1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
-1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.8.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
-1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
-1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
-1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.9.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.9.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.9.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.9.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.9.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+1.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.9.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
+1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+1.9.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.9.0-dev,true,client,client.port,long,core,,,Port of the client.
+1.9.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.9.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.9.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.9.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.9.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.9.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.9.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.9.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+1.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.9.0-dev,true,container,container.labels,object,extended,,,Image labels.
+1.9.0-dev,true,container,container.name,keyword,extended,,,Container name.
+1.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.9.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.9.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+1.9.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.9.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.9.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.9.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.9.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.9.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.9.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.9.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+1.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.9.0-dev,true,error,error.message,text,core,,,Error message.
+1.9.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.9.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.9.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.9.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.9.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.9.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.9.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.9.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.9.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.9.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.9.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.9.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.9.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.9.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.9.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.9.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.9.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.9.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.9.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.9.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.9.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.9.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.9.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.9.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.9.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev,true,file,file.created,date,extended,,,File creation time.
+1.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.9.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.9.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.9.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.9.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+1.9.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.9.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.9.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0-dev,true,host,host.type,keyword,core,,,Type of host.
+1.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.9.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.9.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.9.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.9.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.9.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.9.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.9.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.9.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.9.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+1.9.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.9.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.9.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.9.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.9.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.9.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.9.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.9.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.9.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.9.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.9.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.9.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.9.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.9.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.9.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.9.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.9.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.9.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.9.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.9.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.9.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.9.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.9.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.9.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+1.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.9.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.9.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
+1.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.9.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.9.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.9.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.9.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+1.9.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.9.0-dev,true,package,package.name,keyword,extended,,go,Package name
+1.9.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.9.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.9.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.9.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+1.9.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
+1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+1.9.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.9.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
+1.9.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.9.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
+1.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0-dev,true,process,process.pid,long,core,,4242,Process id.
+1.9.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.9.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
+1.9.0-dev,true,process,process.title,wildcard,extended,,,Process title.
+1.9.0-dev,true,process,process.title.text,text,extended,,,Process title.
+1.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.9.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.9.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.9.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.9.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.9.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.9.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.9.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.9.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.9.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.9.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.9.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.9.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.9.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.9.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+1.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.9.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
+1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+1.9.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.9.0-dev,true,server,server.port,long,core,,,Port of the server.
+1.9.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.9.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.9.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.9.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.9.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+1.9.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.9.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+1.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.9.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
+1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+1.9.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.9.0-dev,true,source,source.port,long,core,,,Port of the source.
+1.9.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.9.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.9.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.9.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.9.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.9.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.9.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.9.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.9.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.9.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.9.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.9.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.9.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.9.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.9.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.9.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.9.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.9.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.9.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.9.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.9.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.9.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.9.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.9.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.9.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.9.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+1.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.9.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+1.9.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+1.9.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,user,user.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
+1.9.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.9.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.9.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.9.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.9.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.9.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.9.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.9.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.9.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.9.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.9.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index bf81034aec..378c3dc0fa 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -5,7 +5,7 @@
   "mappings": {
     "_doc": {
       "_meta": {
-        "version": "1.8.0-dev"
+        "version": "1.9.0-dev"
       },
       "date_detection": false,
       "dynamic_templates": [
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 98bf95f301..2a9466df8b 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.8.0-dev"
+      "version": "1.9.0-dev"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json
index 353ba82a15..d7921d9adf 100644
--- a/generated/elasticsearch/component/agent.json
+++ b/generated/elasticsearch/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json
index 5f5c1db363..406ed0981d 100644
--- a/generated/elasticsearch/component/base.json
+++ b/generated/elasticsearch/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
index 31e691aed1..c0840d578f 100644
--- a/generated/elasticsearch/component/client.json
+++ b/generated/elasticsearch/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json
index 4f232454c4..b13150c6a0 100644
--- a/generated/elasticsearch/component/cloud.json
+++ b/generated/elasticsearch/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json
index 38eca1d7f2..b7c8e6858e 100644
--- a/generated/elasticsearch/component/container.json
+++ b/generated/elasticsearch/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
index d9e445f419..cf63935a0a 100644
--- a/generated/elasticsearch/component/destination.json
+++ b/generated/elasticsearch/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index d1654a2995..8e878c310e 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json
index 15a736a4cf..f66115ccb1 100644
--- a/generated/elasticsearch/component/dns.json
+++ b/generated/elasticsearch/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json
index f0236e672f..561892a4ed 100644
--- a/generated/elasticsearch/component/ecs.json
+++ b/generated/elasticsearch/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json
index 6ed08970ef..328259dd49 100644
--- a/generated/elasticsearch/component/error.json
+++ b/generated/elasticsearch/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json
index 85c990900f..06bcdfae66 100644
--- a/generated/elasticsearch/component/event.json
+++ b/generated/elasticsearch/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index 073dc7959e..a2f17562f9 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json
index 381724c510..13d6a829a5 100644
--- a/generated/elasticsearch/component/group.json
+++ b/generated/elasticsearch/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index de2b9925b0..c0e3c0fcf5 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
index ee434bc3d3..0e38b06c88 100644
--- a/generated/elasticsearch/component/http.json
+++ b/generated/elasticsearch/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json
index 79ac511fe0..b699db361d 100644
--- a/generated/elasticsearch/component/log.json
+++ b/generated/elasticsearch/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json
index 7310610229..bb6d172e07 100644
--- a/generated/elasticsearch/component/network.json
+++ b/generated/elasticsearch/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
index f7b5f2fd65..30dce73707 100644
--- a/generated/elasticsearch/component/observer.json
+++ b/generated/elasticsearch/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json
index c00ed11538..d9cb399e89 100644
--- a/generated/elasticsearch/component/organization.json
+++ b/generated/elasticsearch/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json
index c15e8d6c91..ea843e3323 100644
--- a/generated/elasticsearch/component/package.json
+++ b/generated/elasticsearch/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index 472f0029fb..60ad49260b 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json
index db6a8c5ba2..0ed4b2c47c 100644
--- a/generated/elasticsearch/component/registry.json
+++ b/generated/elasticsearch/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json
index 39b205f4c2..0afe5810bd 100644
--- a/generated/elasticsearch/component/related.json
+++ b/generated/elasticsearch/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json
index 735200cd82..65dfd9b1c2 100644
--- a/generated/elasticsearch/component/rule.json
+++ b/generated/elasticsearch/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
index 7a5940efb4..39f925b650 100644
--- a/generated/elasticsearch/component/server.json
+++ b/generated/elasticsearch/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json
index eb2e6517b3..2d9d66dfe2 100644
--- a/generated/elasticsearch/component/service.json
+++ b/generated/elasticsearch/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
index ae2b85b106..5a00a9eb52 100644
--- a/generated/elasticsearch/component/source.json
+++ b/generated/elasticsearch/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json
index bf0ecc3778..cdd6f904b5 100644
--- a/generated/elasticsearch/component/threat.json
+++ b/generated/elasticsearch/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json
index be3dd91253..35a5c46faf 100644
--- a/generated/elasticsearch/component/tls.json
+++ b/generated/elasticsearch/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json
index bce8899078..12ad11e6fa 100644
--- a/generated/elasticsearch/component/tracing.json
+++ b/generated/elasticsearch/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json
index c50ced4a7d..0975aa95ce 100644
--- a/generated/elasticsearch/component/url.json
+++ b/generated/elasticsearch/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json
index 8a1a714414..02dee92890 100644
--- a/generated/elasticsearch/component/user.json
+++ b/generated/elasticsearch/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json
index c45d126c48..6ecb7d46e4 100644
--- a/generated/elasticsearch/component/user_agent.json
+++ b/generated/elasticsearch/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json
index cd04fb1f4e..9de1f1b4e6 100644
--- a/generated/elasticsearch/component/vulnerability.json
+++ b/generated/elasticsearch/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json
index 2405e0a28d..9444d33b52 100644
--- a/generated/elasticsearch/template.json
+++ b/generated/elasticsearch/template.json
@@ -1,43 +1,43 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "1.8.0-dev"
+    "ecs_version": "1.9.0-dev"
   },
   "composed_of": [
-    "ecs_1.8.0-dev_agent",
-    "ecs_1.8.0-dev_base",
-    "ecs_1.8.0-dev_client",
-    "ecs_1.8.0-dev_cloud",
-    "ecs_1.8.0-dev_container",
-    "ecs_1.8.0-dev_destination",
-    "ecs_1.8.0-dev_dll",
-    "ecs_1.8.0-dev_dns",
-    "ecs_1.8.0-dev_ecs",
-    "ecs_1.8.0-dev_error",
-    "ecs_1.8.0-dev_event",
-    "ecs_1.8.0-dev_file",
-    "ecs_1.8.0-dev_group",
-    "ecs_1.8.0-dev_host",
-    "ecs_1.8.0-dev_http",
-    "ecs_1.8.0-dev_log",
-    "ecs_1.8.0-dev_network",
-    "ecs_1.8.0-dev_observer",
-    "ecs_1.8.0-dev_organization",
-    "ecs_1.8.0-dev_package",
-    "ecs_1.8.0-dev_process",
-    "ecs_1.8.0-dev_registry",
-    "ecs_1.8.0-dev_related",
-    "ecs_1.8.0-dev_rule",
-    "ecs_1.8.0-dev_server",
-    "ecs_1.8.0-dev_service",
-    "ecs_1.8.0-dev_source",
-    "ecs_1.8.0-dev_threat",
-    "ecs_1.8.0-dev_tls",
-    "ecs_1.8.0-dev_tracing",
-    "ecs_1.8.0-dev_url",
-    "ecs_1.8.0-dev_user",
-    "ecs_1.8.0-dev_user_agent",
-    "ecs_1.8.0-dev_vulnerability"
+    "ecs_1.9.0-dev_agent",
+    "ecs_1.9.0-dev_base",
+    "ecs_1.9.0-dev_client",
+    "ecs_1.9.0-dev_cloud",
+    "ecs_1.9.0-dev_container",
+    "ecs_1.9.0-dev_destination",
+    "ecs_1.9.0-dev_dll",
+    "ecs_1.9.0-dev_dns",
+    "ecs_1.9.0-dev_ecs",
+    "ecs_1.9.0-dev_error",
+    "ecs_1.9.0-dev_event",
+    "ecs_1.9.0-dev_file",
+    "ecs_1.9.0-dev_group",
+    "ecs_1.9.0-dev_host",
+    "ecs_1.9.0-dev_http",
+    "ecs_1.9.0-dev_log",
+    "ecs_1.9.0-dev_network",
+    "ecs_1.9.0-dev_observer",
+    "ecs_1.9.0-dev_organization",
+    "ecs_1.9.0-dev_package",
+    "ecs_1.9.0-dev_process",
+    "ecs_1.9.0-dev_registry",
+    "ecs_1.9.0-dev_related",
+    "ecs_1.9.0-dev_rule",
+    "ecs_1.9.0-dev_server",
+    "ecs_1.9.0-dev_service",
+    "ecs_1.9.0-dev_source",
+    "ecs_1.9.0-dev_threat",
+    "ecs_1.9.0-dev_tls",
+    "ecs_1.9.0-dev_tracing",
+    "ecs_1.9.0-dev_url",
+    "ecs_1.9.0-dev_user",
+    "ecs_1.9.0-dev_user_agent",
+    "ecs_1.9.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/version b/version
index 0ef074f2ec..b57588e592 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-1.8.0-dev
+1.9.0-dev

From ddf256874fd16f828a54c6aede966a842aaf95cf Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 16 Dec 2020 14:30:48 -0600
Subject: [PATCH 65/90] [1.x] Cut 1.8 FF changelog.next.md #1199 (#1201)

---
 CHANGELOG.next.md | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index d85ec4c97a..335325069f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -9,11 +9,25 @@ Thanks, you're awesome :-) -->
 ## Unreleased
 
 ### Schema Changes
+### Tooling and Artifact Changes
 
 #### Breaking changes
 
 #### Bugfixes
 
+#### Added
+
+#### Improvements
+
+#### Deprecated
+
+
+## 1.8.0 (Feature Freeze)
+
+### Schema Changes
+
+#### Bugfixes
+
 * Clean up `event.reference` description. #1181
 
 #### Added
@@ -27,7 +41,9 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Event categorization fields GA. #1067
+* `wildcard` field type adoption. #1098
 * Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131
+* Reinforce the exclusion of the leading dot from `url.extension`. #1151
 
 #### Deprecated
 
@@ -35,8 +51,6 @@ Thanks, you're awesome :-) -->
 
 ### Tooling and Artifact Changes
 
-#### Breaking changes
-
 #### Bugfixes
 
 * `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164
@@ -49,17 +63,16 @@ Thanks, you're awesome :-) -->
 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
 * Added support for `constant_keyword`'s optional parameter `value`. #1112
-* Added component templates for ECS field sets. #1156, #1186
+* Added component templates for ECS field sets. #1156, #1186, #1191
 
 #### Improvements
 
+* Make all fields linkable directly. #1148
 * Added a notice highlighting that the `tracing` fields are not nested under the
   namespace `tracing.` #1162
 * ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
 * Add a documentation page discussing the experimental artifacts. #1189
 
-#### Deprecated
-
 
 <!-- All empty sections:
 

From d1e08be0d7f31439562b79355fd621abf0556229 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 6 Jan 2021 13:13:26 -0500
Subject: [PATCH 66/90] Merge custom and core multi_fields arrays (#982)
 (#1213)

Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
---
 CHANGELOG.next.md                        |  1 +
 scripts/schema/loader.py                 | 30 ++++++++++
 scripts/tests/unit/test_schema_loader.py | 75 ++++++++++++++++++++++++
 3 files changed, 106 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 335325069f..f3225ffdb3 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -64,6 +64,7 @@ Thanks, you're awesome :-) -->
 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
 * Added support for `constant_keyword`'s optional parameter `value`. #1112
 * Added component templates for ECS field sets. #1156, #1186, #1191
+* Added functionality for merging custom and core multi-fields. #982
 
 #### Improvements
 
diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py
index 07477551af..04f3218ae4 100644
--- a/scripts/schema/loader.py
+++ b/scripts/schema/loader.py
@@ -186,6 +186,28 @@ def nest_fields(field_array):
     return schema_root
 
 
+def array_of_maps_to_map(array_vals):
+    ret_map = {}
+    for map_val in array_vals:
+        name = map_val['name']
+        # if multiple name fields exist in the same custom definition this will take the last one
+        ret_map[name] = map_val
+    return ret_map
+
+
+def map_of_maps_to_array(map_vals):
+    ret_list = []
+    for key in map_vals:
+        ret_list.append(map_vals[key])
+    return sorted(ret_list, key=lambda k: k['name'])
+
+
+def dedup_and_merge_lists(list_a, list_b):
+    list_a_map = array_of_maps_to_map(list_a)
+    list_a_map.update(array_of_maps_to_map(list_b))
+    return map_of_maps_to_array(list_a_map)
+
+
 def merge_fields(a, b):
     """Merge ECS field sets with custom field sets."""
     a = copy.deepcopy(a)
@@ -199,6 +221,14 @@ def merge_fields(a, b):
             a[key].setdefault('field_details', {})
             a[key]['field_details'].setdefault('normalize', [])
             a[key]['field_details']['normalize'].extend(b[key]['field_details'].pop('normalize'))
+        if 'multi_fields' in b[key]['field_details']:
+            a[key].setdefault('field_details', {})
+            a[key]['field_details'].setdefault('multi_fields', [])
+            a[key]['field_details']['multi_fields'] = dedup_and_merge_lists(
+                a[key]['field_details']['multi_fields'], b[key]['field_details']['multi_fields'])
+            # if we don't do this then the update call below will overwrite a's field_details, with the original
+            # contents of b, which undoes our merging the multi_fields
+            del b[key]['field_details']['multi_fields']
         a[key]['field_details'].update(b[key]['field_details'])
         # merge schema details
         if 'schema_details' in b[key]:
diff --git a/scripts/tests/unit/test_schema_loader.py b/scripts/tests/unit/test_schema_loader.py
index de3a718bd5..fde33e0a1c 100644
--- a/scripts/tests/unit/test_schema_loader.py
+++ b/scripts/tests/unit/test_schema_loader.py
@@ -646,6 +646,81 @@ def test_merge_non_array_attributes(self):
         }
         self.assertEqual(merged_fields, expected_fields)
 
+    def test_merge_and_overwrite_multi_fields(self):
+        originalSchema = {
+            'overwrite_field': {
+                'field_details': {
+                    'multi_fields': [
+                        {
+                            'type': 'text',
+                            'name': 'text',
+                            'norms': True
+                        }
+                    ]
+                },
+                'fields': {
+                    'message': {
+                        'field_details': {
+                            'multi_fields': [
+                                {
+                                    'type': 'text',
+                                    'name': 'text'
+                                }
+                            ]
+                        }
+                    }
+                }
+            }
+        }
+
+        customSchema = {
+            'overwrite_field': {
+                'field_details': {
+                    'multi_fields': [
+                        # this entry will completely overwrite the originalSchema's name text entry
+                        {
+                            'type': 'text',
+                            'name': 'text'
+                        }
+                    ]
+                },
+                'fields': {
+                    'message': {
+                        'field_details': {
+                            'multi_fields': [
+                                # this entry will be merged with the originalSchema's multi_fields entries
+                                {
+                                    'type': 'keyword',
+                                    'name': 'a_field'
+                                }
+                            ]
+                        }
+                    }
+                }
+            }
+        }
+        merged_fields = loader.merge_fields(originalSchema, customSchema)
+        expected_overwrite_field_mf = [
+            {
+                'type': 'text',
+                'name': 'text'
+            }
+        ]
+
+        expected_message_mf = [
+            {
+                'type': 'keyword',
+                'name': 'a_field'
+            },
+            {
+                'type': 'text',
+                'name': 'text'
+            }
+        ]
+        self.assertEqual(merged_fields['overwrite_field']['field_details']['multi_fields'], expected_overwrite_field_mf)
+        self.assertEqual(merged_fields['overwrite_field']['fields']['message']['field_details']
+                         ['multi_fields'], expected_message_mf)
+
 
 if __name__ == '__main__':
     unittest.main()

From 4ab85fa766a76ba37a685b02bd14eb79dde73744 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 13 Jan 2021 16:33:14 -0600
Subject: [PATCH 67/90] [1.x] Stage 2 changes for RFC 0009 - data_stream fields
 (#1215) (#1222)

---
 experimental/generated/beats/fields.ecs.yml   | 52 ++++++++++++++
 experimental/generated/csv/fields.csv         |  3 +
 experimental/generated/ecs/ecs_flat.yml       | 46 +++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 69 +++++++++++++++++++
 .../generated/elasticsearch/7/template.json   | 13 ++++
 .../elasticsearch/component/data_stream.json  | 25 +++++++
 .../generated/elasticsearch/template.json     |  3 +-
 experimental/schemas/data_stream.yml          | 60 ++++++++++++++++
 8 files changed, 270 insertions(+), 1 deletion(-)
 create mode 100644 experimental/generated/elasticsearch/component/data_stream.json
 create mode 100644 experimental/schemas/data_stream.yml

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 02da5c2ee4..d19d6a36d8 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -564,6 +564,58 @@
       ignore_above: 1024
       description: Runtime managing this container.
       example: docker
+  - name: data_stream
+    title: Data Stream
+    group: 2
+    description: 'The data_stream fields take part in defining the new data stream
+      naming scheme.
+
+      In the new data stream naming scheme the value of the data stream fields combine
+      to the name of the actual data stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`.
+      This means the fields can only contain characters that are valid as part of
+      names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
+      post].
+
+      An Elasticsearch data stream consists of one or more backing indices, and a
+      data stream name forms part of the backing indices names. Due to this convention,
+      data streams must also follow index naming restrictions. For example, data stream
+      names cannot include \, /, *, ?, ", <, >, |, ` `. Please see the Elasticsearch
+      reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
+    type: group
+    fields:
+    - name: dataset
+      level: extended
+      type: constant_keyword
+      description: "The field can contain anything that makes sense to signify the\
+        \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\
+        \ etc. For data streams that otherwise fit, but that do not have dataset set\
+        \ we use the value \"generic\" for the dataset value. `event.dataset` should\
+        \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\
+        \ data stream naming criteria noted above, the `dataset` value has additional\
+        \ restrictions:\n  * Must not contain `-`\n  * No longer than 100 characters"
+      example: nginx.access
+      default_field: false
+    - name: namespace
+      level: extended
+      type: constant_keyword
+      description: "A user defined namespace. Namespaces are useful to allow grouping\
+        \ of data.\nMany users already organize their indices this way, and the data\
+        \ stream naming scheme now provides this best practice as a default. Many\
+        \ users will populate this field with `default`. If no value is used, it falls\
+        \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\
+        \ above, `namespace` value has the additional restrictions:\n  * Must not\
+        \ contain `-`\n  * No longer than 100 characters"
+      example: production
+      default_field: false
+    - name: type
+      level: extended
+      type: constant_keyword
+      description: 'An overarching type for the data stream.
+
+        Currently allowed values are "logs" and "metrics". We expect to also add "traces"
+        and "synthetics" in the near future.'
+      example: logs
+      default_field: false
   - name: destination
     title: Destination
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index b5efd516c7..95199f66a2 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -60,6 +60,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
 1.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
 1.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.9.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+1.9.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+1.9.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
 1.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
 1.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
 1.9.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index f98d8b95ce..a7c053c2d1 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -705,6 +705,52 @@ container.runtime:
   normalize: []
   short: Runtime managing this container.
   type: keyword
+data_stream.dataset:
+  dashed_name: data-stream-dataset
+  description: "The field can contain anything that makes sense to signify the source\
+    \ of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint` etc.\
+    \ For data streams that otherwise fit, but that do not have dataset set we use\
+    \ the value \"generic\" for the dataset value. `event.dataset` should have the\
+    \ same value as `data_stream.dataset`.\nBeyond the Elasticsearch data stream naming\
+    \ criteria noted above, the `dataset` value has additional restrictions:\n  *\
+    \ Must not contain `-`\n  * No longer than 100 characters"
+  example: nginx.access
+  flat_name: data_stream.dataset
+  level: extended
+  name: dataset
+  normalize: []
+  short: The field can contain anything that makes sense to signify the source of
+    the data.
+  type: constant_keyword
+data_stream.namespace:
+  dashed_name: data-stream-namespace
+  description: "A user defined namespace. Namespaces are useful to allow grouping\
+    \ of data.\nMany users already organize their indices this way, and the data stream\
+    \ naming scheme now provides this best practice as a default. Many users will\
+    \ populate this field with `default`. If no value is used, it falls back to `default`.\n\
+    Beyond the Elasticsearch index naming criteria noted above, `namespace` value\
+    \ has the additional restrictions:\n  * Must not contain `-`\n  * No longer than\
+    \ 100 characters"
+  example: production
+  flat_name: data_stream.namespace
+  level: extended
+  name: namespace
+  normalize: []
+  short: A user defined namespace. Namespaces are useful to allow grouping of data.
+  type: constant_keyword
+data_stream.type:
+  dashed_name: data-stream-type
+  description: 'An overarching type for the data stream.
+
+    Currently allowed values are "logs" and "metrics". We expect to also add "traces"
+    and "synthetics" in the near future.'
+  example: logs
+  flat_name: data_stream.type
+  level: extended
+  name: type
+  normalize: []
+  short: An overarching type for the data stream.
+  type: constant_keyword
 destination.address:
   dashed_name: destination-address
   description: 'Some event destination addresses are defined ambiguously. The event
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 97acbc2459..2b825db77d 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -983,6 +983,75 @@ container:
   short: Fields describing the container that generated this event.
   title: Container
   type: group
+data_stream:
+  description: 'The data_stream fields take part in defining the new data stream naming
+    scheme.
+
+    In the new data stream naming scheme the value of the data stream fields combine
+    to the name of the actual data stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`.
+    This means the fields can only contain characters that are valid as part of names
+    of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
+    post].
+
+    An Elasticsearch data stream consists of one or more backing indices, and a data
+    stream name forms part of the backing indices names. Due to this convention, data
+    streams must also follow index naming restrictions. For example, data stream names
+    cannot include \, /, *, ?, ", <, >, |, ` `. Please see the Elasticsearch reference
+    for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
+  fields:
+    data_stream.dataset:
+      dashed_name: data-stream-dataset
+      description: "The field can contain anything that makes sense to signify the\
+        \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\
+        \ etc. For data streams that otherwise fit, but that do not have dataset set\
+        \ we use the value \"generic\" for the dataset value. `event.dataset` should\
+        \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\
+        \ data stream naming criteria noted above, the `dataset` value has additional\
+        \ restrictions:\n  * Must not contain `-`\n  * No longer than 100 characters"
+      example: nginx.access
+      flat_name: data_stream.dataset
+      level: extended
+      name: dataset
+      normalize: []
+      short: The field can contain anything that makes sense to signify the source
+        of the data.
+      type: constant_keyword
+    data_stream.namespace:
+      dashed_name: data-stream-namespace
+      description: "A user defined namespace. Namespaces are useful to allow grouping\
+        \ of data.\nMany users already organize their indices this way, and the data\
+        \ stream naming scheme now provides this best practice as a default. Many\
+        \ users will populate this field with `default`. If no value is used, it falls\
+        \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\
+        \ above, `namespace` value has the additional restrictions:\n  * Must not\
+        \ contain `-`\n  * No longer than 100 characters"
+      example: production
+      flat_name: data_stream.namespace
+      level: extended
+      name: namespace
+      normalize: []
+      short: A user defined namespace. Namespaces are useful to allow grouping of
+        data.
+      type: constant_keyword
+    data_stream.type:
+      dashed_name: data-stream-type
+      description: 'An overarching type for the data stream.
+
+        Currently allowed values are "logs" and "metrics". We expect to also add "traces"
+        and "synthetics" in the near future.'
+      example: logs
+      flat_name: data_stream.type
+      level: extended
+      name: type
+      normalize: []
+      short: An overarching type for the data stream.
+      type: constant_keyword
+  group: 2
+  name: data_stream
+  prefix: data_stream.
+  short: The data_stream fields take part in defining the new data stream naming scheme.
+  title: Data Stream
+  type: group
 destination:
   description: 'Destination fields capture details about the receiver of a network
     exchange/packet. These fields are populated from a network event, packet, or other
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 029aa451f3..7420e1c441 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -303,6 +303,19 @@
           }
         }
       },
+      "data_stream": {
+        "properties": {
+          "dataset": {
+            "type": "constant_keyword"
+          },
+          "namespace": {
+            "type": "constant_keyword"
+          },
+          "type": {
+            "type": "constant_keyword"
+          }
+        }
+      },
       "destination": {
         "properties": {
           "address": {
diff --git a/experimental/generated/elasticsearch/component/data_stream.json b/experimental/generated/elasticsearch/component/data_stream.json
new file mode 100644
index 0000000000..3d4d93c586
--- /dev/null
+++ b/experimental/generated/elasticsearch/component/data_stream.json
@@ -0,0 +1,25 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
+    "ecs_version": "1.9.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "data_stream": {
+          "properties": {
+            "dataset": {
+              "type": "constant_keyword"
+            },
+            "namespace": {
+              "type": "constant_keyword"
+            },
+            "type": {
+              "type": "constant_keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json
index b8f252c020..f81f6b49dc 100644
--- a/experimental/generated/elasticsearch/template.json
+++ b/experimental/generated/elasticsearch/template.json
@@ -37,7 +37,8 @@
     "ecs_1.9.0-dev-exp_url",
     "ecs_1.9.0-dev-exp_user",
     "ecs_1.9.0-dev-exp_user_agent",
-    "ecs_1.9.0-dev-exp_vulnerability"
+    "ecs_1.9.0-dev-exp_vulnerability",
+    "ecs_1.9.0-dev-exp_data_stream"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/experimental/schemas/data_stream.yml b/experimental/schemas/data_stream.yml
new file mode 100644
index 0000000000..d651800fa4
--- /dev/null
+++ b/experimental/schemas/data_stream.yml
@@ -0,0 +1,60 @@
+---
+- name: data_stream
+  title: Data Stream
+  short: The data_stream fields take part in defining the new data stream naming scheme.
+  description: >
+    The data_stream fields take part in defining the new data stream naming scheme.
+
+    In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data
+    stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields
+    can only contain characters that are valid as part of names of data streams. More details about this can be found in
+    this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post].
+
+    An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names.
+    Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include \, /, *, ?, ", <, >, |, ` `.
+    Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].
+  fields:
+
+    - name: type
+      level: extended
+      type: constant_keyword
+      example: logs
+      # Any future values for `data_stream.type` should also adhere to the following restrictions (these are derived from the Elasticsearch index restrictions):
+      # * Must not contain `-`
+      # * Must not start with `+` or `_`
+      description: >
+        An overarching type for the data stream.
+
+        Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+      short: An overarching type for the data stream.
+
+    - name: dataset
+      level: extended
+      type: constant_keyword
+      example: nginx.access
+      description: >
+        The field can contain anything that makes sense to signify the source of the data.
+
+        Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that
+        do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the
+        same value as `data_stream.dataset`.
+
+        Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:
+          * Must not contain `-`
+          * No longer than 100 characters
+      short: The field can contain anything that makes sense to signify the source of the data.
+
+    - name: namespace
+      level: extended
+      type: constant_keyword
+      example: production
+      description: >
+        A user defined namespace. Namespaces are useful to allow grouping of data.
+
+        Many users already organize their indices this way, and the data stream naming scheme now provides this
+        best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.
+
+        Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:
+          * Must not contain `-`
+          * No longer than 100 characters
+      short: A user defined namespace. Namespaces are useful to allow grouping of data.

From 2b240f15ccefb408b57566bcc818fe7a2f931a7f Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 14 Jan 2021 10:21:12 -0600
Subject: [PATCH 68/90] [1.x] add http.request.id (#1208) (#1223)

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: Gil Raphaelli <gil@elastic.co>
---
 CHANGELOG.next.md                              |  2 ++
 code/go/ecs/http.go                            |  6 ++++++
 docs/field-details.asciidoc                    | 18 ++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml    | 11 +++++++++++
 experimental/generated/csv/fields.csv          |  1 +
 experimental/generated/ecs/ecs_flat.yml        | 15 +++++++++++++++
 experimental/generated/ecs/ecs_nested.yml      | 15 +++++++++++++++
 .../generated/elasticsearch/7/template.json    |  4 ++++
 .../elasticsearch/component/http.json          |  4 ++++
 generated/beats/fields.ecs.yml                 | 11 +++++++++++
 generated/csv/fields.csv                       |  1 +
 generated/ecs/ecs_flat.yml                     | 15 +++++++++++++++
 generated/ecs/ecs_nested.yml                   | 15 +++++++++++++++
 generated/elasticsearch/6/template.json        |  4 ++++
 generated/elasticsearch/7/template.json        |  4 ++++
 generated/elasticsearch/component/http.json    |  4 ++++
 schemas/http.yml                               | 13 +++++++++++++
 17 files changed, 143 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index f3225ffdb3..ca70e28078 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -17,6 +17,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `http.request.id`. #1208
+
 #### Improvements
 
 #### Deprecated
diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go
index 9abb112274..278b28378a 100644
--- a/code/go/ecs/http.go
+++ b/code/go/ecs/http.go
@@ -22,6 +22,12 @@ package ecs
 // Fields related to HTTP activity. Use the `url` field set to store the url of
 // the request.
 type Http struct {
+	// A unique identifier for each HTTP request to correlate logs between
+	// clients and servers in transactions.
+	// The id may be contained in a non-standard HTTP header, such as
+	// `X-Request-ID` or `X-Correlation-ID`.
+	RequestID string `ecs:"request.id"`
+
 	// HTTP request method.
 	// Prior to ECS 1.6.0 the following guidance was provided:
 	// "The field value must be normalized to lowercase for querying."
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 73bc4467d3..1c24738341 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -3383,6 +3383,24 @@ example: `1437`
 
 // ===============================================================
 
+|
+[[field-http-request-id]]
+<<field-http-request-id, http.request.id>>
+
+| A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.
+
+The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+
+
+example: `123e4567-e89b-12d3-a456-426614174000`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-http-request-method]]
 <<field-http-request-method, http.request.method>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index d19d6a36d8..501e0d801e 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2413,6 +2413,17 @@
       format: bytes
       description: Total size in bytes of the request (body and headers).
       example: 1437
+    - name: request.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      default_field: false
     - name: request.method
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 95199f66a2..d7ce2df034 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -281,6 +281,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
 1.9.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
 1.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.9.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
 1.9.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
 1.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
 1.9.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index a7c053c2d1..25e79b4947 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3832,6 +3832,21 @@ http.request.bytes:
   normalize: []
   short: Total size in bytes of the request (body and headers).
   type: long
+http.request.id:
+  dashed_name: http-request-id
+  description: 'A unique identifier for each HTTP request to correlate logs between
+    clients and servers in transactions.
+
+    The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+    or `X-Correlation-ID`.'
+  example: 123e4567-e89b-12d3-a456-426614174000
+  flat_name: http.request.id
+  ignore_above: 1024
+  level: extended
+  name: request.id
+  normalize: []
+  short: HTTP request ID.
+  type: keyword
 http.request.method:
   dashed_name: http-request-method
   description: 'HTTP request method.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 2b825db77d..ef90a2bcd8 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4548,6 +4548,21 @@ http:
       normalize: []
       short: Total size in bytes of the request (body and headers).
       type: long
+    http.request.id:
+      dashed_name: http-request-id
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      flat_name: http.request.id
+      ignore_above: 1024
+      level: extended
+      name: request.id
+      normalize: []
+      short: HTTP request ID.
+      type: keyword
     http.request.method:
       dashed_name: http-request-method
       description: 'HTTP request method.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 7420e1c441..70ed2974d8 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1296,6 +1296,10 @@
               "bytes": {
                 "type": "long"
               },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "method": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json
index b2284df25e..3b79b53c86 100644
--- a/experimental/generated/elasticsearch/component/http.json
+++ b/experimental/generated/elasticsearch/component/http.json
@@ -29,6 +29,10 @@
                 "bytes": {
                   "type": "long"
                 },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "method": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 55bf39366c..aca54a4756 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2315,6 +2315,17 @@
       format: bytes
       description: Total size in bytes of the request (body and headers).
       example: 1437
+    - name: request.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      default_field: false
     - name: request.method
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 87ca4a70d3..b6d222e2b4 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -271,6 +271,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
 1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
 1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
 1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
 1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
 1.9.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 7e7347eba8..eed7fb34ad 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3712,6 +3712,21 @@ http.request.bytes:
   normalize: []
   short: Total size in bytes of the request (body and headers).
   type: long
+http.request.id:
+  dashed_name: http-request-id
+  description: 'A unique identifier for each HTTP request to correlate logs between
+    clients and servers in transactions.
+
+    The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+    or `X-Correlation-ID`.'
+  example: 123e4567-e89b-12d3-a456-426614174000
+  flat_name: http.request.id
+  ignore_above: 1024
+  level: extended
+  name: request.id
+  normalize: []
+  short: HTTP request ID.
+  type: keyword
 http.request.method:
   dashed_name: http-request-method
   description: 'HTTP request method.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 47cd8526ef..a78c8b1774 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4405,6 +4405,21 @@ http:
       normalize: []
       short: Total size in bytes of the request (body and headers).
       type: long
+    http.request.id:
+      dashed_name: http-request-id
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      flat_name: http.request.id
+      ignore_above: 1024
+      level: extended
+      name: request.id
+      normalize: []
+      short: HTTP request ID.
+      type: keyword
     http.request.method:
       dashed_name: http-request-method
       description: 'HTTP request method.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 378c3dc0fa..248a06ed55 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1270,6 +1270,10 @@
                 "bytes": {
                   "type": "long"
                 },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "method": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 2a9466df8b..87007a70f3 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1233,6 +1233,10 @@
               "bytes": {
                 "type": "long"
               },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "method": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
index 0e38b06c88..d208148bdb 100644
--- a/generated/elasticsearch/component/http.json
+++ b/generated/elasticsearch/component/http.json
@@ -29,6 +29,10 @@
                 "bytes": {
                   "type": "long"
                 },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "method": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/schemas/http.yml b/schemas/http.yml
index f0ee23c53a..75475199b4 100644
--- a/schemas/http.yml
+++ b/schemas/http.yml
@@ -8,6 +8,19 @@
   type: group
   fields:
 
+    - name: request.id
+      level: extended
+      type: keyword
+      short: HTTP request ID.
+      description: >
+        A unique identifier for each HTTP request to correlate logs between clients
+        and servers in transactions.
+        
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`. 
+
+      example: 123e4567-e89b-12d3-a456-426614174000
+
     - name: request.method
       level: extended
       type: keyword

From 36ebb017da9592b95db15482a7b35799c0cfd134 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 14 Jan 2021 10:34:51 -0600
Subject: [PATCH 69/90] [1.x] add cloud.service.name (#1204) (#1224)

* add cloud.platform

* expand cloud.platform description

* move to cloud.service.name

Co-authored-by: Gil Raphaelli <gil@elastic.co>
---
 CHANGELOG.next.md                              |  1 +
 code/go/ecs/cloud.go                           |  6 ++++++
 docs/field-details.asciidoc                    | 18 ++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml    | 11 +++++++++++
 experimental/generated/csv/fields.csv          |  1 +
 experimental/generated/ecs/ecs_flat.yml        | 15 +++++++++++++++
 experimental/generated/ecs/ecs_nested.yml      | 15 +++++++++++++++
 .../generated/elasticsearch/7/template.json    |  8 ++++++++
 .../elasticsearch/component/cloud.json         |  8 ++++++++
 generated/beats/fields.ecs.yml                 | 11 +++++++++++
 generated/csv/fields.csv                       |  1 +
 generated/ecs/ecs_flat.yml                     | 15 +++++++++++++++
 generated/ecs/ecs_nested.yml                   | 15 +++++++++++++++
 generated/elasticsearch/6/template.json        |  8 ++++++++
 generated/elasticsearch/7/template.json        |  8 ++++++++
 generated/elasticsearch/component/cloud.json   |  8 ++++++++
 schemas/cloud.yml                              | 12 ++++++++++++
 17 files changed, 161 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index ca70e28078..7abb10dbfb 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Added `http.request.id`. #1208
+* Added `cloud.service.name`. #1204
 
 #### Improvements
 
diff --git a/code/go/ecs/cloud.go b/code/go/ecs/cloud.go
index 630e0c6fce..13b7ff551a 100644
--- a/code/go/ecs/cloud.go
+++ b/code/go/ecs/cloud.go
@@ -51,6 +51,12 @@ type Cloud struct {
 	// Examples: AWS account name, Google Cloud ORG display name.
 	AccountName string `ecs:"account.name"`
 
+	// The cloud service name is intended to distinguish services running on
+	// different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+	// App Engine, Azure VM vs App Server.
+	// Examples: app engine, app service, cloud run, fargate, lambda.
+	ServiceName string `ecs:"service.name"`
+
 	// The cloud project identifier.
 	// Examples: Google Cloud Project id, Azure Project id.
 	ProjectID string `ecs:"project.id"`
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 1c24738341..eb72c4aa44 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -738,6 +738,24 @@ example: `us-east-1`
 
 // ===============================================================
 
+|
+[[field-cloud-service-name]]
+<<field-cloud-service-name, cloud.service.name>>
+
+| The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
+
+Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+
+
+example: `lambda`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 [[ecs-code_signature]]
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 501e0d801e..e687969bf8 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -476,6 +476,17 @@
       ignore_above: 1024
       description: Region in which this host is running.
       example: us-east-1
+    - name: service.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      default_field: false
   - name: code_signature
     title: Code Signature
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index d7ce2df034..bb4d0bf393 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -54,6 +54,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
 1.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
 1.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.9.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
 1.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
 1.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
 1.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 25e79b4947..712c63c9a5 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -643,6 +643,21 @@ cloud.region:
   normalize: []
   short: Region in which this host is running.
   type: keyword
+cloud.service.name:
+  dashed_name: cloud-service-name
+  description: 'The cloud service name is intended to distinguish services running
+    on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App
+    Engine, Azure VM vs App Server.
+
+    Examples: app engine, app service, cloud run, fargate, lambda.'
+  example: lambda
+  flat_name: cloud.service.name
+  ignore_above: 1024
+  level: extended
+  name: service.name
+  normalize: []
+  short: The cloud service name.
+  type: keyword
 container.id:
   dashed_name: container-id
   description: Unique container id.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index ef90a2bcd8..9016fe8641 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -814,6 +814,21 @@ cloud:
       normalize: []
       short: Region in which this host is running.
       type: keyword
+    cloud.service.name:
+      dashed_name: cloud-service-name
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      flat_name: cloud.service.name
+      ignore_above: 1024
+      level: extended
+      name: service.name
+      normalize: []
+      short: The cloud service name.
+      type: keyword
   footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from
     its host, the cloud info contains the data about this machine. If Metricbeat runs
     on a remote machine outside the cloud and fetches data from a service running
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 70ed2974d8..1582968a6f 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -269,6 +269,14 @@
           "region": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "service": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
           }
         }
       },
diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json
index 52f33efb8c..b33d205acc 100644
--- a/experimental/generated/elasticsearch/component/cloud.json
+++ b/experimental/generated/elasticsearch/component/cloud.json
@@ -63,6 +63,14 @@
             "region": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "service": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
             }
           }
         }
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index aca54a4756..d31d592579 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -476,6 +476,17 @@
       ignore_above: 1024
       description: Region in which this host is running.
       example: us-east-1
+    - name: service.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      default_field: false
   - name: code_signature
     title: Code Signature
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index b6d222e2b4..0d13e795b4 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -54,6 +54,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
 1.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
 1.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.9.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
 1.9.0-dev,true,container,container.id,keyword,core,,,Unique container id.
 1.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
 1.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index eed7fb34ad..73efa64c18 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -643,6 +643,21 @@ cloud.region:
   normalize: []
   short: Region in which this host is running.
   type: keyword
+cloud.service.name:
+  dashed_name: cloud-service-name
+  description: 'The cloud service name is intended to distinguish services running
+    on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App
+    Engine, Azure VM vs App Server.
+
+    Examples: app engine, app service, cloud run, fargate, lambda.'
+  example: lambda
+  flat_name: cloud.service.name
+  ignore_above: 1024
+  level: extended
+  name: service.name
+  normalize: []
+  short: The cloud service name.
+  type: keyword
 container.id:
   dashed_name: container-id
   description: Unique container id.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index a78c8b1774..1461638964 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -814,6 +814,21 @@ cloud:
       normalize: []
       short: Region in which this host is running.
       type: keyword
+    cloud.service.name:
+      dashed_name: cloud-service-name
+      description: 'The cloud service name is intended to distinguish services running
+        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
+        App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.'
+      example: lambda
+      flat_name: cloud.service.name
+      ignore_above: 1024
+      level: extended
+      name: service.name
+      normalize: []
+      short: The cloud service name.
+      type: keyword
   footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from
     its host, the cloud info contains the data about this machine. If Metricbeat runs
     on a remote machine outside the cloud and fetches data from a service running
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 248a06ed55..6b84ad5897 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -278,6 +278,14 @@
             "region": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "service": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 87007a70f3..2f02eb6e41 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -269,6 +269,14 @@
           "region": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "service": {
+            "properties": {
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
           }
         }
       },
diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json
index b13150c6a0..f106357123 100644
--- a/generated/elasticsearch/component/cloud.json
+++ b/generated/elasticsearch/component/cloud.json
@@ -63,6 +63,14 @@
             "region": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "service": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
             }
           }
         }
diff --git a/schemas/cloud.yml b/schemas/cloud.yml
index 0789feb79a..789b2d7485 100644
--- a/schemas/cloud.yml
+++ b/schemas/cloud.yml
@@ -80,6 +80,18 @@
 
         Examples: AWS account name, Google Cloud ORG display name.
 
+    - name: service.name
+      level: extended
+      type: keyword
+      example: lambda
+      short: The cloud service name.
+      description: >
+        The cloud service name is intended to distinguish services running on
+        different platforms within a provider, eg AWS EC2 vs Lambda,
+        GCP GCE vs App Engine, Azure VM vs App Server.
+
+        Examples: app engine, app service, cloud run, fargate, lambda.
+
     - name: project.id
       level: extended
       type: keyword

From a487613e26fa1a00cf83f25bedccf37cee285960 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 15 Jan 2021 12:57:12 -0600
Subject: [PATCH 70/90] [1.x] Add ssdeep hash (#1169) (#1227)

Co-authored-by: Andrew Stucki <andrew.stucki@elastic.co>
---
 CHANGELOG.next.md                             |  1 +
 code/go/ecs/hash.go                           |  9 ++-
 docs/field-details.asciidoc                   | 20 +++++-
 experimental/generated/beats/fields.ecs.yml   | 39 +++++++++++-
 experimental/generated/csv/fields.csv         |  4 ++
 experimental/generated/ecs/ecs_flat.yml       | 44 +++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 63 ++++++++++++++++++-
 .../generated/elasticsearch/7/template.json   | 16 +++++
 .../elasticsearch/component/dll.json          |  4 ++
 .../elasticsearch/component/file.json         |  4 ++
 .../elasticsearch/component/process.json      |  8 +++
 generated/beats/fields.ecs.yml                | 39 +++++++++++-
 generated/csv/fields.csv                      |  4 ++
 generated/ecs/ecs_flat.yml                    | 44 +++++++++++++
 generated/ecs/ecs_nested.yml                  | 63 ++++++++++++++++++-
 generated/elasticsearch/6/template.json       | 16 +++++
 generated/elasticsearch/7/template.json       | 16 +++++
 generated/elasticsearch/component/dll.json    |  4 ++
 generated/elasticsearch/component/file.json   |  4 ++
 .../elasticsearch/component/process.json      |  8 +++
 schemas/hash.yml                              | 11 +++-
 21 files changed, 410 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7abb10dbfb..9baec5b634 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 
 * Added `http.request.id`. #1208
 * Added `cloud.service.name`. #1204
+* Added `hash.ssdeep`. #1169
 
 #### Improvements
 
diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go
index 070b4256cc..aa9354c759 100644
--- a/code/go/ecs/hash.go
+++ b/code/go/ecs/hash.go
@@ -19,10 +19,14 @@
 
 package ecs
 
-// The hash fields represent different hash algorithms and their values.
+// The hash fields represent different bitwise hash algorithms and their
+// values.
 // Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields
 // for other hashes by lowercasing the hash algorithm name and using underscore
 // separators as appropriate (snake case, e.g. sha3_512).
+// Note that this fieldset is used for common hashes that may be computed over
+// a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
+// placed in the fieldsets to which they relate (tls and pe, respectively).
 type Hash struct {
 	// MD5 hash.
 	Md5 string `ecs:"md5"`
@@ -35,4 +39,7 @@ type Hash struct {
 
 	// SHA512 hash.
 	Sha512 string `ecs:"sha512"`
+
+	// SSDEEP hash.
+	Ssdeep string `ecs:"ssdeep"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index eb72c4aa44..efacab4e1b 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -3023,10 +3023,12 @@ Note also that the `group` fields may be used directly at the root of the events
 [[ecs-hash]]
 === Hash Fields
 
-The hash fields represent different hash algorithms and their values.
+The hash fields represent different bitwise hash algorithms and their values.
 
 Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
 
+Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
 [discrete]
 ==== Hash Field Details
 
@@ -3096,6 +3098,22 @@ type: keyword
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-hash-ssdeep]]
+<<field-hash-ssdeep, hash.ssdeep>>
+
+| SSDEEP hash.
+
+type: keyword
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index e687969bf8..23727e859f 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -951,6 +951,12 @@
       ignore_above: 1024
       description: SHA512 hash.
       default_field: false
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: name
       level: core
       type: keyword
@@ -1682,6 +1688,12 @@
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: inode
       level: extended
       type: keyword
@@ -2068,11 +2080,16 @@
   - name: hash
     title: Hash
     group: 2
-    description: 'The hash fields represent different hash algorithms and their values.
+    description: 'The hash fields represent different bitwise hash algorithms and
+      their values.
 
       Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
       other hashes by lowercasing the hash algorithm name and using underscore separators
-      as appropriate (snake case, e.g. sha3_512).'
+      as appropriate (snake case, e.g. sha3_512).
+
+      Note that this fieldset is used for common hashes that may be computed over
+      a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
+      placed in the fieldsets to which they relate (tls and pe, respectively).'
     type: group
     fields:
     - name: md5
@@ -2095,6 +2112,12 @@
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
+    - name: ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
   - name: host
     title: Host
     group: 2
@@ -3500,6 +3523,12 @@
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: name
       level: extended
       type: wildcard
@@ -3645,6 +3674,12 @@
       ignore_above: 1024
       description: SHA512 hash.
       default_field: false
+    - name: parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: parent.name
       level: extended
       type: wildcard
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index bb4d0bf393..d7cded544d 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -108,6 +108,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
 1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
@@ -186,6 +187,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
 1.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
 1.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
@@ -395,6 +397,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name.
 1.9.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name.
 1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
@@ -414,6 +417,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
 1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
 1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 712c63c9a5..ce8874fbe8 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1298,6 +1298,17 @@ dll.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+dll.hash.ssdeep:
+  dashed_name: dll-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: dll.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 dll.name:
   dashed_name: dll-name
   description: 'Name of the library.
@@ -2722,6 +2733,17 @@ file.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+file.hash.ssdeep:
+  dashed_name: file-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: file.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 file.inode:
   dashed_name: file-inode
   description: Inode representing the file in the filesystem.
@@ -5283,6 +5305,17 @@ process.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+process.hash.ssdeep:
+  dashed_name: process-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 process.name:
   beta: Note the usage of `wildcard` type is considered beta. This field used to be
     type `keyword`.
@@ -5518,6 +5551,17 @@ process.parent.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+process.parent.hash.ssdeep:
+  dashed_name: process-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 process.parent.name:
   beta: Note the usage of `wildcard` type is considered beta. This field used to be
     type `keyword`.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 9016fe8641..fcd725bb6b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1644,6 +1644,17 @@ dll:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    dll.hash.ssdeep:
+      dashed_name: dll-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: dll.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     dll.name:
       dashed_name: dll-name
       description: 'Name of the library.
@@ -3170,6 +3181,17 @@ file:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    file.hash.ssdeep:
+      dashed_name: file-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: file.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     file.inode:
       dashed_name: file-inode
       description: Inode representing the file in the filesystem.
@@ -3902,11 +3924,16 @@ group:
   title: Group
   type: group
 hash:
-  description: 'The hash fields represent different hash algorithms and their values.
+  description: 'The hash fields represent different bitwise hash algorithms and their
+    values.
 
     Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
     other hashes by lowercasing the hash algorithm name and using underscore separators
-    as appropriate (snake case, e.g. sha3_512).'
+    as appropriate (snake case, e.g. sha3_512).
+
+    Note that this fieldset is used for common hashes that may be computed over a
+    range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed
+    in the fieldsets to which they relate (tls and pe, respectively).'
   fields:
     hash.md5:
       dashed_name: hash-md5
@@ -3948,6 +3975,16 @@ hash:
       normalize: []
       short: SHA512 hash.
       type: keyword
+    hash.ssdeep:
+      dashed_name: hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      short: SSDEEP hash.
+      type: keyword
   group: 2
   name: hash
   prefix: hash.
@@ -6379,6 +6416,17 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    process.hash.ssdeep:
+      dashed_name: process-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     process.name:
       beta: Note the usage of `wildcard` type is considered beta. This field used
         to be type `keyword`.
@@ -6614,6 +6662,17 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    process.parent.hash.ssdeep:
+      dashed_name: process-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     process.parent.name:
       beta: Note the usage of `wildcard` type is considered beta. This field used
         to be type `keyword`.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 1582968a6f..aebee4c182 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -523,6 +523,10 @@
               "sha512": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -853,6 +857,10 @@
               "sha512": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1843,6 +1851,10 @@
               "sha512": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1927,6 +1939,10 @@
                   "sha512": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
index 7491296fa2..f791052452 100644
--- a/experimental/generated/elasticsearch/component/dll.json
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -46,6 +46,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index 58379893c1..0ae17a7b92 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -82,6 +82,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index 9fad9bcc0c..ed0330dafa 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -78,6 +78,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -162,6 +166,10 @@
                     "sha512": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index d31d592579..75b3f4a862 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -899,6 +899,12 @@
       ignore_above: 1024
       description: SHA512 hash.
       default_field: false
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: name
       level: core
       type: keyword
@@ -1630,6 +1636,12 @@
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: inode
       level: extended
       type: keyword
@@ -2016,11 +2028,16 @@
   - name: hash
     title: Hash
     group: 2
-    description: 'The hash fields represent different hash algorithms and their values.
+    description: 'The hash fields represent different bitwise hash algorithms and
+      their values.
 
       Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
       other hashes by lowercasing the hash algorithm name and using underscore separators
-      as appropriate (snake case, e.g. sha3_512).'
+      as appropriate (snake case, e.g. sha3_512).
+
+      Note that this fieldset is used for common hashes that may be computed over
+      a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
+      placed in the fieldsets to which they relate (tls and pe, respectively).'
     type: group
     fields:
     - name: md5
@@ -2043,6 +2060,12 @@
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
+    - name: ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
   - name: host
     title: Host
     group: 2
@@ -3402,6 +3425,12 @@
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: name
       level: extended
       type: wildcard
@@ -3547,6 +3576,12 @@
       ignore_above: 1024
       description: SHA512 hash.
       default_field: false
+    - name: parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
     - name: parent.name
       level: extended
       type: wildcard
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 0d13e795b4..68c90ecb74 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -105,6 +105,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
 1.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
@@ -183,6 +184,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
 1.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
 1.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
@@ -385,6 +387,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
@@ -404,6 +407,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 1.9.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 73efa64c18..f30e8aced4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1252,6 +1252,17 @@ dll.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+dll.hash.ssdeep:
+  dashed_name: dll-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: dll.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 dll.name:
   dashed_name: dll-name
   description: 'Name of the library.
@@ -2676,6 +2687,17 @@ file.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+file.hash.ssdeep:
+  dashed_name: file-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: file.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 file.inode:
   dashed_name: file-inode
   description: Inode representing the file in the filesystem.
@@ -5163,6 +5185,17 @@ process.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+process.hash.ssdeep:
+  dashed_name: process-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 process.name:
   beta: Note the usage of `wildcard` type is considered beta. This field used to be
     type `keyword`.
@@ -5398,6 +5431,17 @@ process.parent.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
+process.parent.hash.ssdeep:
+  dashed_name: process-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
 process.parent.name:
   beta: Note the usage of `wildcard` type is considered beta. This field used to be
     type `keyword`.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 1461638964..8c15d879d4 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1575,6 +1575,17 @@ dll:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    dll.hash.ssdeep:
+      dashed_name: dll-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: dll.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     dll.name:
       dashed_name: dll-name
       description: 'Name of the library.
@@ -3101,6 +3112,17 @@ file:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    file.hash.ssdeep:
+      dashed_name: file-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: file.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     file.inode:
       dashed_name: file-inode
       description: Inode representing the file in the filesystem.
@@ -3833,11 +3855,16 @@ group:
   title: Group
   type: group
 hash:
-  description: 'The hash fields represent different hash algorithms and their values.
+  description: 'The hash fields represent different bitwise hash algorithms and their
+    values.
 
     Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
     other hashes by lowercasing the hash algorithm name and using underscore separators
-    as appropriate (snake case, e.g. sha3_512).'
+    as appropriate (snake case, e.g. sha3_512).
+
+    Note that this fieldset is used for common hashes that may be computed over a
+    range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed
+    in the fieldsets to which they relate (tls and pe, respectively).'
   fields:
     hash.md5:
       dashed_name: hash-md5
@@ -3879,6 +3906,16 @@ hash:
       normalize: []
       short: SHA512 hash.
       type: keyword
+    hash.ssdeep:
+      dashed_name: hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      short: SSDEEP hash.
+      type: keyword
   group: 2
   name: hash
   prefix: hash.
@@ -6236,6 +6273,17 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    process.hash.ssdeep:
+      dashed_name: process-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     process.name:
       beta: Note the usage of `wildcard` type is considered beta. This field used
         to be type `keyword`.
@@ -6471,6 +6519,17 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
+    process.parent.hash.ssdeep:
+      dashed_name: process-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
     process.parent.name:
       beta: Note the usage of `wildcard` type is considered beta. This field used
         to be type `keyword`.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 6b84ad5897..5d91ba5198 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -526,6 +526,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -864,6 +868,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -1827,6 +1835,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -1914,6 +1926,10 @@
                     "sha512": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 2f02eb6e41..85c3f90970 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -510,6 +510,10 @@
               "sha512": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -840,6 +844,10 @@
               "sha512": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1780,6 +1788,10 @@
               "sha512": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1864,6 +1876,10 @@
                   "sha512": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index 8e878c310e..5c4ff06d3f 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -46,6 +46,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index a2f17562f9..10b9ed8f62 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -82,6 +82,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index 60ad49260b..f214a3c6bd 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -78,6 +78,10 @@
                 "sha512": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -162,6 +166,10 @@
                     "sha512": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
diff --git a/schemas/hash.yml b/schemas/hash.yml
index cc44dfcc8b..77aeb29a5d 100644
--- a/schemas/hash.yml
+++ b/schemas/hash.yml
@@ -5,12 +5,16 @@
   type: group
   short: Hashes, usually file hashes.
   description: >
-    The hash fields represent different hash algorithms and their values.
+    The hash fields represent different bitwise hash algorithms and their values.
 
     Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes
     by lowercasing the hash algorithm name and using underscore separators as appropriate
     (snake case, e.g. sha3_512).
 
+    Note that this fieldset is used for common hashes that may be computed
+    over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
+    placed in the fieldsets to which they relate (tls and pe, respectively).
+
   reusable:
     top_level: false
     expected:
@@ -39,3 +43,8 @@
       level: extended
       type: keyword
       description: SHA512 hash.
+
+    - name: ssdeep
+      level: extended
+      type: keyword
+      description: SSDEEP hash.

From bc1f9af3f51d363228f24f3ab6b5b9685fe0f1e4 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 29 Jan 2021 11:55:54 -0600
Subject: [PATCH 71/90] [CI] Switch to GitHub actions (#1236) (#1245)

Co-authored-by: Eric Beahan <ebeahan@gmail.com>

Co-authored-by: Andrew Stucki <andrew.stucki@elastic.co>
---
 .github/workflows/test.yml | 19 +++++++++++++++++++
 .travis.yml                | 29 -----------------------------
 2 files changed, 19 insertions(+), 29 deletions(-)
 create mode 100644 .github/workflows/test.yml
 delete mode 100644 .travis.yml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000000..0e4a5703f9
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,19 @@
+name: Tests
+
+on: [push, pull_request]
+
+jobs:
+  tests:
+    runs-on: ubuntu-20.04
+    name: Unit Tests
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.13.1'
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - run: git fetch --prune --unshallow --tags
+      - run: make setup
+      - run: make check
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index a56a30a073..0000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-sudo: false
-
-language: go
-
-os:
-- linux
-
-dist: bionic
-
-go:
-- 1.13.x
-
-install:
-- git fetch --tags --all
-- make setup
-
-addons:
-  apt:
-    update: true
-    packages:
-      - libxml2-utils
-      - python3-venv
-      - xsltproc
-
-jobs:
-  include:
-    - stage: check
-      script:
-      - make check

From 30e4a1081b8f26760cd818aed9128e81be030ad4 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 29 Jan 2021 12:08:49 -0600
Subject: [PATCH 72/90] Revert wildcard adoption back to experimental stage
 (#1235) (#1243)

---
 CHANGELOG.next.md                             |   1 -
 docs/field-details.asciidoc                   | 312 ++++------
 experimental/generated/ecs/ecs_flat.yml       | 202 -------
 experimental/generated/ecs/ecs_nested.yml     | 216 -------
 experimental/schemas/agent.yml                |   5 +
 experimental/schemas/as.yml                   |   5 +
 experimental/schemas/client.yml               |   7 +
 experimental/schemas/destination.yml          |   7 +
 experimental/schemas/dns.yml                  |   9 +
 experimental/schemas/error.yml                |   9 +
 experimental/schemas/file.yml                 |   9 +
 experimental/schemas/geo.yml                  |   5 +
 experimental/schemas/host.yml                 |   3 +
 experimental/schemas/http.yml                 |   9 +
 experimental/schemas/log.yml                  |   7 +
 experimental/schemas/organization.yml         |   5 +
 experimental/schemas/os.yml                   |   7 +
 experimental/schemas/pe.yml                   |   5 +
 experimental/schemas/process.yml              |  15 +
 experimental/schemas/registry.yml             |   9 +
 experimental/schemas/server.yml               |   7 +
 experimental/schemas/source.yml               |   7 +
 experimental/schemas/tls.yml                  |  11 +
 experimental/schemas/url.yml                  |  13 +
 experimental/schemas/user.yml                 |   9 +
 experimental/schemas/user_agent.yml           |   5 +
 experimental/schemas/x509.yml                 |   7 +
 generated/beats/fields.ecs.yml                | 325 +++++++----
 generated/csv/fields.csv                      | 204 +++----
 generated/ecs/ecs_flat.yml                    | 507 +++++++---------
 generated/ecs/ecs_nested.yml                  | 542 +++++++-----------
 generated/elasticsearch/7/template.json       | 305 ++++++----
 generated/elasticsearch/component/agent.json  |   3 +-
 generated/elasticsearch/component/client.json |  21 +-
 .../elasticsearch/component/destination.json  |  21 +-
 generated/elasticsearch/component/dll.json    |   3 +-
 generated/elasticsearch/component/dns.json    |   6 +-
 generated/elasticsearch/component/error.json  |   8 +-
 generated/elasticsearch/component/file.json   |  18 +-
 generated/elasticsearch/component/host.json   |  21 +-
 generated/elasticsearch/component/http.json   |   9 +-
 generated/elasticsearch/component/log.json    |   6 +-
 .../elasticsearch/component/observer.json     |   9 +-
 .../elasticsearch/component/organization.json |   3 +-
 .../elasticsearch/component/process.json      |  42 +-
 .../elasticsearch/component/registry.json     |   9 +-
 generated/elasticsearch/component/server.json |  21 +-
 generated/elasticsearch/component/source.json |  21 +-
 generated/elasticsearch/component/tls.json    |  24 +-
 generated/elasticsearch/component/url.json    |  15 +-
 generated/elasticsearch/component/user.json   |  36 +-
 .../elasticsearch/component/user_agent.json   |   9 +-
 schemas/agent.yml                             |   3 +-
 schemas/as.yml                                |   3 +-
 schemas/client.yml                            |   6 +-
 schemas/destination.yml                       |   6 +-
 schemas/dns.yml                               |   6 +-
 schemas/error.yml                             |   7 +-
 schemas/file.yml                              |   9 +-
 schemas/geo.yml                               |   3 +-
 schemas/host.yml                              |   3 +-
 schemas/http.yml                              |  13 +-
 schemas/log.yml                               |   6 +-
 schemas/organization.yml                      |   3 +-
 schemas/os.yml                                |   6 +-
 schemas/pe.yml                                |   3 +-
 schemas/process.yml                           |  18 +-
 schemas/registry.yml                          |   9 +-
 schemas/server.yml                            |   6 +-
 schemas/source.yml                            |   6 +-
 schemas/tls.yml                               |  12 +-
 schemas/url.yml                               |  15 +-
 schemas/user.yml                              |   9 +-
 schemas/user_agent.yml                        |   3 +-
 schemas/x509.yml                              |   6 +-
 use-cases/auditbeat.md                        |   4 +-
 use-cases/filebeat-apache-access.md           |   4 +-
 use-cases/kubernetes.md                       |   2 +-
 use-cases/metricbeat.md                       |   2 +-
 use-cases/web-logs.md                         |   6 +-
 80 files changed, 1492 insertions(+), 1781 deletions(-)
 create mode 100644 experimental/schemas/agent.yml
 create mode 100644 experimental/schemas/as.yml
 create mode 100644 experimental/schemas/client.yml
 create mode 100644 experimental/schemas/destination.yml
 create mode 100644 experimental/schemas/dns.yml
 create mode 100644 experimental/schemas/error.yml
 create mode 100644 experimental/schemas/file.yml
 create mode 100644 experimental/schemas/geo.yml
 create mode 100644 experimental/schemas/http.yml
 create mode 100644 experimental/schemas/log.yml
 create mode 100644 experimental/schemas/organization.yml
 create mode 100644 experimental/schemas/os.yml
 create mode 100644 experimental/schemas/pe.yml
 create mode 100644 experimental/schemas/process.yml
 create mode 100644 experimental/schemas/registry.yml
 create mode 100644 experimental/schemas/server.yml
 create mode 100644 experimental/schemas/source.yml
 create mode 100644 experimental/schemas/tls.yml
 create mode 100644 experimental/schemas/url.yml
 create mode 100644 experimental/schemas/user.yml
 create mode 100644 experimental/schemas/user_agent.yml
 create mode 100644 experimental/schemas/x509.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9baec5b634..90e3574f3f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -45,7 +45,6 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Event categorization fields GA. #1067
-* `wildcard` field type adoption. #1098
 * Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131
 * Reinforce the exclusion of the leading dot from `url.extension`. #1151
 
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index efacab4e1b..b1d4dbe8be 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -115,13 +115,11 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha
 [[field-agent-build-original]]
 <<field-agent-build-original, agent.build.original>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Extended build information for the agent.
+| Extended build information for the agent.
 
 This field is intended to contain any build information that a data source may provide, no specific formatting is required.
 
-type: wildcard
+type: keyword
 
 
 
@@ -257,11 +255,9 @@ example: `15169`
 [[field-as-organization-name]]
 <<field-as-organization-name, as.organization.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Organization name.
 
-Organization name.
-
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -345,11 +341,9 @@ example: `184`
 [[field-client-domain]]
 <<field-client-domain, client.domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Client domain.
 
-Client domain.
-
-type: wildcard
+type: keyword
 
 
 
@@ -463,15 +457,13 @@ type: long
 [[field-client-registered-domain]]
 <<field-client-registered-domain, client.registered_domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The highest registered client domain, stripped of the subdomain.
+| The highest registered client domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: wildcard
+type: keyword
 
 
 
@@ -1041,11 +1033,9 @@ example: `184`
 [[field-destination-domain]]
 <<field-destination-domain, destination.domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Destination domain.
+| Destination domain.
 
-type: wildcard
+type: keyword
 
 
 
@@ -1159,15 +1149,13 @@ type: long
 [[field-destination-registered-domain]]
 <<field-destination-registered-domain, destination.registered_domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The highest registered destination domain, stripped of the subdomain.
+| The highest registered destination domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: wildcard
+type: keyword
 
 
 
@@ -1408,13 +1396,11 @@ example: `IN`
 [[field-dns-answers-data]]
 <<field-dns-answers-data, dns.answers.data>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The data describing the resource.
+| The data describing the resource.
 
 The meaning of this data depends on the type and class of the resource record.
 
-type: wildcard
+type: keyword
 
 
 
@@ -1547,13 +1533,11 @@ example: `IN`
 [[field-dns-question-name]]
 <<field-dns-question-name, dns.question.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The name being queried.
+| The name being queried.
 
 If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
 
-type: wildcard
+type: keyword
 
 
 
@@ -1796,11 +1780,9 @@ type: text
 [[field-error-stack-trace]]
 <<field-error-stack-trace, error.stack_trace>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The stack trace of this error in plain text.
+| The stack trace of this error in plain text.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -1820,11 +1802,9 @@ Multi-fields:
 [[field-error-type]]
 <<field-error-type, error.type>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The type of the error, for example the class name of the exception.
+| The type of the error, for example the class name of the exception.
 
-type: wildcard
+type: keyword
 
 
 
@@ -2461,11 +2441,9 @@ example: `sda`
 [[field-file-directory]]
 <<field-file-directory, file.directory>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Directory where the file is located. It should include the drive letter, when appropriate.
 
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: wildcard
+type: keyword
 
 
 
@@ -2643,11 +2621,9 @@ example: `alice`
 [[field-file-path]]
 <<field-file-path, file.path>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
+| Full path to the file, including the file name. It should include the drive letter, when appropriate.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -2685,11 +2661,9 @@ example: `16384`
 [[field-file-target-path]]
 <<field-file-target-path, file.target_path>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Target path for symlinks.
+| Target path for symlinks.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -2882,15 +2856,13 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }`
 [[field-geo-name]]
 <<field-geo-name, geo.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-User-defined description of a location, at the level of granularity they care about.
+| User-defined description of a location, at the level of granularity they care about.
 
 Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
 
 Not typically used in automated geolocation.
 
-type: wildcard
+type: keyword
 
 
 
@@ -3184,13 +3156,11 @@ example: `CONTOSO`
 [[field-host-hostname]]
 <<field-host-hostname, host.hostname>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Hostname of the host.
+| Hostname of the host.
 
 It normally contains what the `hostname` command returns on the host machine.
 
-type: wildcard
+type: keyword
 
 
 
@@ -3383,11 +3353,9 @@ example: `887`
 [[field-http-request-body-content]]
 <<field-http-request-body-content, http.request.body.content>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| The full HTTP request body.
 
-The full HTTP request body.
-
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -3481,11 +3449,9 @@ example: `image/gif`
 [[field-http-request-referrer]]
 <<field-http-request-referrer, http.request.referrer>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Referrer for this HTTP request.
+| Referrer for this HTTP request.
 
-type: wildcard
+type: keyword
 
 
 
@@ -3515,11 +3481,9 @@ example: `887`
 [[field-http-response-body-content]]
 <<field-http-response-body-content, http.response.body.content>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The full HTTP response body.
+| The full HTTP response body.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -3699,13 +3663,11 @@ The details specific to your event source are typically not logged under `log.*`
 [[field-log-file-path]]
 <<field-log-file-path, log.file.path>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+| Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
 
 If the event wasn't read from a log file, do not populate this field.
 
-type: wildcard
+type: keyword
 
 
 
@@ -3739,11 +3701,9 @@ example: `error`
 [[field-log-logger]]
 <<field-log-logger, log.logger>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
 
-type: wildcard
+type: keyword
 
 
 
@@ -4537,11 +4497,9 @@ type: keyword
 [[field-organization-name]]
 <<field-organization-name, organization.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Organization name.
+| Organization name.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -4593,11 +4551,9 @@ example: `debian`
 [[field-os-full]]
 <<field-os-full, os.full>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Operating system name, including the version or code name.
+| Operating system name, including the version or code name.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -4633,11 +4589,9 @@ example: `4.4.0-112-generic`
 [[field-os-name]]
 <<field-os-name, os.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Operating system name, without the version.
+| Operating system name, without the version.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -5047,11 +5001,9 @@ example: `0c6803c4e922103c4dca5963aad36ddf`
 [[field-pe-original-file-name]]
 <<field-pe-original-file-name, pe.original_file_name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Internal name of the file, provided at compile-time.
 
-Internal name of the file, provided at compile-time.
-
-type: wildcard
+type: keyword
 
 
 
@@ -5148,13 +5100,11 @@ example: `4`
 [[field-process-command-line]]
 <<field-process-command-line, process.command_line>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Full command line that started the process, including the absolute path to the executable, and all arguments.
+| Full command line that started the process, including the absolute path to the executable, and all arguments.
 
 Some arguments may be filtered to protect sensitive information.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -5194,11 +5144,9 @@ example: `c2c455d9f99375d`
 [[field-process-executable]]
 <<field-process-executable, process.executable>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Absolute path to the process executable.
+| Absolute path to the process executable.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -5236,13 +5184,11 @@ example: `137`
 [[field-process-name]]
 <<field-process-name, process.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Process name.
+| Process name.
 
 Sometimes called program name or similar.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -5342,11 +5288,9 @@ example: `4242`
 [[field-process-thread-name]]
 <<field-process-thread-name, process.thread.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Thread name.
 
-Thread name.
-
-type: wildcard
+type: keyword
 
 
 
@@ -5360,13 +5304,11 @@ example: `thread-0`
 [[field-process-title]]
 <<field-process-title, process.title>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Process title.
+| Process title.
 
 The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -5402,11 +5344,9 @@ example: `1325`
 [[field-process-working-directory]]
 <<field-process-working-directory, process.working_directory>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The working directory of the process.
+| The working directory of the process.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -5507,13 +5447,11 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=`
 [[field-registry-data-strings]]
 <<field-registry-data-strings, registry.data.strings>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Content when writing string types.
+| Content when writing string types.
 
 Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
 
-type: wildcard
+type: keyword
 
 
 Note: this field should contain an array of values.
@@ -5562,11 +5500,9 @@ example: `HKLM`
 [[field-registry-key]]
 <<field-registry-key, registry.key>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Hive-relative path of keys.
 
-Hive-relative path of keys.
-
-type: wildcard
+type: keyword
 
 
 
@@ -5580,11 +5516,9 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
 [[field-registry-path]]
 <<field-registry-path, registry.path>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Full path, including hive, key and value
+| Full path, including hive, key and value
 
-type: wildcard
+type: keyword
 
 
 
@@ -5947,11 +5881,9 @@ example: `184`
 [[field-server-domain]]
 <<field-server-domain, server.domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Server domain.
+| Server domain.
 
-type: wildcard
+type: keyword
 
 
 
@@ -6065,15 +5997,13 @@ type: long
 [[field-server-registered-domain]]
 <<field-server-registered-domain, server.registered_domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The highest registered server domain, stripped of the subdomain.
+| The highest registered server domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: wildcard
+type: keyword
 
 
 
@@ -6362,11 +6292,9 @@ example: `184`
 [[field-source-domain]]
 <<field-source-domain, source.domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Source domain.
+| Source domain.
 
-type: wildcard
+type: keyword
 
 
 
@@ -6480,15 +6408,13 @@ type: long
 [[field-source-registered-domain]]
 <<field-source-registered-domain, source.registered_domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The highest registered source domain, stripped of the subdomain.
+| The highest registered source domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: wildcard
+type: keyword
 
 
 
@@ -6907,11 +6833,9 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0`
 [[field-tls-client-issuer]]
 <<field-tls-client-issuer, tls.client.issuer>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+| Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
 
-type: wildcard
+type: keyword
 
 
 
@@ -6989,11 +6913,9 @@ example: `www.elastic.co`
 [[field-tls-client-subject]]
 <<field-tls-client-subject, tls.client.subject>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Distinguished name of subject of the x.509 certificate presented by the client.
+| Distinguished name of subject of the x.509 certificate presented by the client.
 
-type: wildcard
+type: keyword
 
 
 
@@ -7173,11 +7095,9 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0`
 [[field-tls-server-issuer]]
 <<field-tls-server-issuer, tls.server.issuer>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Subject of the issuer of the x.509 certificate presented by the server.
 
-Subject of the issuer of the x.509 certificate presented by the server.
-
-type: wildcard
+type: keyword
 
 
 
@@ -7239,11 +7159,9 @@ example: `1970-01-01T00:00:00.000Z`
 [[field-tls-server-subject]]
 <<field-tls-server-subject, tls.server.subject>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Subject of the x.509 certificate presented by the server.
 
-Subject of the x.509 certificate presented by the server.
-
-type: wildcard
+type: keyword
 
 
 
@@ -7408,15 +7326,13 @@ URL fields provide support for complete or partial URLs, and supports the breaki
 [[field-url-domain]]
 <<field-url-domain, url.domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Domain of the url, such as "www.elastic.co".
+| Domain of the url, such as "www.elastic.co".
 
 In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
 
 If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
 
-type: wildcard
+type: keyword
 
 
 
@@ -7470,11 +7386,9 @@ type: keyword
 [[field-url-full]]
 <<field-url-full, url.full>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+| If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -7494,15 +7408,13 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top`
 [[field-url-original]]
 <<field-url-original, url.original>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Unmodified original url as seen in the event source.
+| Unmodified original url as seen in the event source.
 
 Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
 
 This field is meant to represent the URL as it was observed, complete or not.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -7538,11 +7450,9 @@ type: keyword
 [[field-url-path]]
 <<field-url-path, url.path>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Path of the request, such as "/search".
 
-Path of the request, such as "/search".
-
-type: wildcard
+type: keyword
 
 
 
@@ -7590,15 +7500,13 @@ type: keyword
 [[field-url-registered-domain]]
 <<field-url-registered-domain, url.registered_domain>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-The highest registered url domain, stripped of the subdomain.
+| The highest registered url domain, stripped of the subdomain.
 
 For example, the registered domain for "foo.example.com" is "example.com".
 
 This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
 
-type: wildcard
+type: keyword
 
 
 
@@ -7722,11 +7630,9 @@ type: keyword
 [[field-user-email]]
 <<field-user-email, user.email>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-User email address.
+| User email address.
 
-type: wildcard
+type: keyword
 
 
 
@@ -7740,11 +7646,9 @@ type: wildcard
 [[field-user-full-name]]
 <<field-user-full-name, user.full_name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-User's full name, if available.
+| User's full name, if available.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -7798,11 +7702,9 @@ type: keyword
 [[field-user-name]]
 <<field-user-name, user.name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Short name or login of the user.
+| Short name or login of the user.
 
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -7945,11 +7847,9 @@ example: `Safari`
 [[field-user-agent-original]]
 <<field-user-agent-original, user_agent.original>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
+| Unparsed user_agent string.
 
-Unparsed user_agent string.
-
-type: wildcard
+type: keyword
 
 Multi-fields:
 
@@ -8394,11 +8294,9 @@ example: `US`
 [[field-x509-issuer-distinguished-name]]
 <<field-x509-issuer-distinguished-name, x509.issuer.distinguished_name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Distinguished name (DN) of issuing certificate authority.
+| Distinguished name (DN) of issuing certificate authority.
 
-type: wildcard
+type: keyword
 
 
 
@@ -8654,11 +8552,9 @@ example: `US`
 [[field-x509-subject-distinguished-name]]
 <<field-x509-subject-distinguished-name, x509.subject.distinguished_name>>
 
-| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ]
-
-Distinguished name (DN) of the certificate subject entity.
+| Distinguished name (DN) of the certificate subject entity.
 
-type: wildcard
+type: keyword
 
 
 
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index ce8874fbe8..4cab1099ae 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -18,8 +18,6 @@
   short: Date/time when the event originated.
   type: date
 agent.build.original:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: agent-build-original
   description: 'Extended build information for the agent.
 
@@ -130,8 +128,6 @@ client.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 client.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -159,8 +155,6 @@ client.bytes:
   short: Bytes sent from the client to the server.
   type: long
 client.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-domain
   description: Client domain.
   flat_name: client.domain
@@ -229,8 +223,6 @@ client.geo.location:
   short: Longitude and latitude.
   type: geo_point
 client.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -336,8 +328,6 @@ client.port:
   short: Port of the client.
   type: long
 client.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-registered-domain
   description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -402,8 +392,6 @@ client.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 client.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-user-email
   description: User email address.
   flat_name: client.user.email
@@ -414,8 +402,6 @@ client.user.email:
   short: User email address.
   type: wildcard
 client.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -493,8 +479,6 @@ client.user.id:
   short: Unique identifier of the user.
   type: keyword
 client.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-user-name
   description: Short name or login of the user.
   example: albert
@@ -794,8 +778,6 @@ destination.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 destination.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -823,8 +805,6 @@ destination.bytes:
   short: Bytes sent from the destination to the source.
   type: long
 destination.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-domain
   description: Destination domain.
   flat_name: destination.domain
@@ -893,8 +873,6 @@ destination.geo.location:
   short: Longitude and latitude.
   type: geo_point
 destination.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -999,8 +977,6 @@ destination.port:
   short: Port of the destination.
   type: long
 destination.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-registered-domain
   description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -1065,8 +1041,6 @@ destination.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 destination.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-user-email
   description: User email address.
   flat_name: destination.user.email
@@ -1077,8 +1051,6 @@ destination.user.email:
   short: User email address.
   type: wildcard
 destination.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -1156,8 +1128,6 @@ destination.user.id:
   short: Unique identifier of the user.
   type: keyword
 destination.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-user-name
   description: Short name or login of the user.
   example: albert
@@ -1398,8 +1368,6 @@ dll.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 dll.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -1453,8 +1421,6 @@ dns.answers.class:
   short: The class of DNS data contained in this resource record.
   type: keyword
 dns.answers.data:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: dns-answers-data
   description: 'The data describing the resource.
 
@@ -1555,8 +1521,6 @@ dns.question.class:
   short: The class of records being queried.
   type: keyword
 dns.question.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: dns-question-name
   description: 'The name being queried.
 
@@ -1723,8 +1687,6 @@ error.message:
   short: Error message.
   type: text
 error.stack_trace:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: error-stack-trace
   description: The stack trace of this error in plain text.
   flat_name: error.stack_trace
@@ -1739,8 +1701,6 @@ error.stack_trace:
   short: The stack trace of this error in plain text.
   type: wildcard
 error.type:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: error-type
   description: The type of the error, for example the class name of the exception.
   example: java.lang.NullPointerException
@@ -2627,8 +2587,6 @@ file.device:
   short: Device that is the source of the file.
   type: keyword
 file.directory:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-directory
   description: Directory where the file is located. It should include the drive letter,
     when appropriate.
@@ -2811,8 +2769,6 @@ file.owner:
   short: File owner's username.
   type: keyword
 file.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-path
   description: Full path to the file, including the file name. It should include the
     drive letter, when appropriate.
@@ -2893,8 +2849,6 @@ file.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 file.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -2930,8 +2884,6 @@ file.size:
   short: File size in bytes.
   type: long
 file.target_path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-target-path
   description: Target path for symlinks.
   flat_name: file.target_path
@@ -3009,8 +2961,6 @@ file.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 file.x509.issuer.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -3200,8 +3150,6 @@ file.x509.subject.country:
   short: List of country (C) code
   type: keyword
 file.x509.subject.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -3426,8 +3374,6 @@ host.geo.location:
   short: Longitude and latitude.
   type: geo_point
 host.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -3469,8 +3415,6 @@ host.geo.region_name:
   short: Region name.
   type: keyword
 host.hostname:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-hostname
   description: 'Hostname of the host.
 
@@ -3582,8 +3526,6 @@ host.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 host.os.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
@@ -3612,8 +3554,6 @@ host.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 host.os.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-os-name
   description: Operating system name, without the version.
   example: Mac OS X
@@ -3709,8 +3649,6 @@ host.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 host.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-user-email
   description: User email address.
   flat_name: host.user.email
@@ -3721,8 +3659,6 @@ host.user.email:
   short: User email address.
   type: wildcard
 host.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -3800,8 +3736,6 @@ host.user.id:
   short: Unique identifier of the user.
   type: keyword
 host.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-user-name
   description: Short name or login of the user.
   example: albert
@@ -3842,8 +3776,6 @@ http.request.body.bytes:
   short: Size in bytes of the request body.
   type: long
 http.request.body.content:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: http-request-body-content
   description: The full HTTP request body.
   example: Hello world
@@ -3918,8 +3850,6 @@ http.request.mime_type:
   short: Mime type of the body of the request.
   type: keyword
 http.request.referrer:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: http-request-referrer
   description: Referrer for this HTTP request.
   example: https://blog.example.com/
@@ -3941,8 +3871,6 @@ http.response.body.bytes:
   short: Size in bytes of the response body.
   type: long
 http.response.body.content:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: http-response-body-content
   description: The full HTTP response body.
   example: Hello world
@@ -4022,8 +3950,6 @@ labels:
   short: Custom key/value pairs.
   type: object
 log.file.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: log-file-path
   description: 'Full path to the log file this event came from, including the file
     name. It should include the drive letter, when appropriate.
@@ -4054,8 +3980,6 @@ log.level:
   short: Log level of the log event.
   type: keyword
 log.logger:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: log-logger
   description: The name of the logger inside an application. This is usually the name
     of the class which initialized the logger, or can be a custom name.
@@ -4586,8 +4510,6 @@ observer.geo.location:
   short: Longitude and latitude.
   type: geo_point
 observer.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: observer-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -4774,8 +4696,6 @@ observer.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 observer.os.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: observer-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
@@ -4804,8 +4724,6 @@ observer.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 observer.os.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: observer-os-name
   description: Operating system name, without the version.
   example: Mac OS X
@@ -4931,8 +4849,6 @@ organization.id:
   short: Unique identifier for the organization.
   type: keyword
 organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: organization-name
   description: Organization name.
   flat_name: organization.name
@@ -5193,8 +5109,6 @@ process.code_signature.valid:
     content.
   type: boolean
 process.command_line:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5232,8 +5146,6 @@ process.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.executable:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
@@ -5317,8 +5229,6 @@ process.hash.ssdeep:
   short: SSDEEP hash.
   type: keyword
 process.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-name
   description: 'Process name.
 
@@ -5435,8 +5345,6 @@ process.parent.code_signature.valid:
     content.
   type: boolean
 process.parent.command_line:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5476,8 +5384,6 @@ process.parent.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.parent.executable:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
@@ -5563,8 +5469,6 @@ process.parent.hash.ssdeep:
   short: SSDEEP hash.
   type: keyword
 process.parent.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-name
   description: 'Process name.
 
@@ -5647,8 +5551,6 @@ process.parent.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.parent.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -5730,8 +5632,6 @@ process.parent.thread.id:
   short: Thread ID.
   type: long
 process.parent.thread.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-thread-name
   description: Thread name.
   example: thread-0
@@ -5743,8 +5643,6 @@ process.parent.thread.name:
   short: Thread name.
   type: wildcard
 process.parent.title:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-title
   description: 'Process title.
 
@@ -5774,8 +5672,6 @@ process.parent.uptime:
   short: Seconds the process has been up.
   type: long
 process.parent.working_directory:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-working-directory
   description: The working directory of the process.
   example: /home/alice
@@ -5856,8 +5752,6 @@ process.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
@@ -5934,8 +5828,6 @@ process.thread.id:
   short: Thread ID.
   type: long
 process.thread.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-thread-name
   description: Thread name.
   example: thread-0
@@ -5946,8 +5838,6 @@ process.thread.name:
   short: Thread name.
   type: wildcard
 process.title:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-title
   description: 'Process title.
 
@@ -5975,8 +5865,6 @@ process.uptime:
   short: Seconds the process has been up.
   type: long
 process.working_directory:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-working-directory
   description: The working directory of the process.
   example: /home/alice
@@ -6007,8 +5895,6 @@ registry.data.bytes:
   short: Original bytes written with base64 encoding.
   type: keyword
 registry.data.strings:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: registry-data-strings
   description: 'Content when writing string types.
 
@@ -6048,8 +5934,6 @@ registry.hive:
   short: Abbreviated name for the hive.
   type: keyword
 registry.key:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: registry-key
   description: Hive-relative path of keys.
   example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
@@ -6060,8 +5944,6 @@ registry.key:
   short: Hive-relative path of keys.
   type: wildcard
 registry.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: registry-path
   description: Full path, including hive, key and value
   example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
@@ -6279,8 +6161,6 @@ server.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 server.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -6308,8 +6188,6 @@ server.bytes:
   short: Bytes sent from the server to the client.
   type: long
 server.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-domain
   description: Server domain.
   flat_name: server.domain
@@ -6378,8 +6256,6 @@ server.geo.location:
   short: Longitude and latitude.
   type: geo_point
 server.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6485,8 +6361,6 @@ server.port:
   short: Port of the server.
   type: long
 server.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-registered-domain
   description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -6551,8 +6425,6 @@ server.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 server.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-user-email
   description: User email address.
   flat_name: server.user.email
@@ -6563,8 +6435,6 @@ server.user.email:
   short: User email address.
   type: wildcard
 server.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -6642,8 +6512,6 @@ server.user.id:
   short: Unique identifier of the user.
   type: keyword
 server.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-user-name
   description: Short name or login of the user.
   example: albert
@@ -6812,8 +6680,6 @@ source.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 source.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-as-organization-name
   description: Organization name.
   example: Google LLC
@@ -6841,8 +6707,6 @@ source.bytes:
   short: Bytes sent from the source to the destination.
   type: long
 source.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-domain
   description: Source domain.
   flat_name: source.domain
@@ -6911,8 +6775,6 @@ source.geo.location:
   short: Longitude and latitude.
   type: geo_point
 source.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -7018,8 +6880,6 @@ source.port:
   short: Port of the source.
   type: long
 source.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-registered-domain
   description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -7084,8 +6944,6 @@ source.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 source.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-user-email
   description: User email address.
   flat_name: source.user.email
@@ -7096,8 +6954,6 @@ source.user.email:
   short: User email address.
   type: wildcard
 source.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -7175,8 +7031,6 @@ source.user.id:
   short: Unique identifier of the user.
   type: keyword
 source.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-user-name
   description: Short name or login of the user.
   example: albert
@@ -7455,8 +7309,6 @@ tls.client.hash.sha256:
     certificate offered by the client.
   type: keyword
 tls.client.issuer:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-issuer
   description: Distinguished name of subject of the issuer of the x.509 certificate
     presented by the client.
@@ -7515,8 +7367,6 @@ tls.client.server_name:
   short: Hostname the client is trying to connect to. Also called the SNI.
   type: keyword
 tls.client.subject:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-subject
   description: Distinguished name of subject of the x.509 certificate presented by
     the client.
@@ -7582,8 +7432,6 @@ tls.client.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.client.x509.issuer.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -7773,8 +7621,6 @@ tls.client.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.client.x509.subject.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -7965,8 +7811,6 @@ tls.server.hash.sha256:
     certificate offered by the server.
   type: keyword
 tls.server.issuer:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-issuer
   description: Subject of the issuer of the x.509 certificate presented by the server.
   example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
@@ -8010,8 +7854,6 @@ tls.server.not_before:
   short: Timestamp indicating when server certificate is first considered valid.
   type: date
 tls.server.subject:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-subject
   description: Subject of the x.509 certificate presented by the server.
   example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
@@ -8063,8 +7905,6 @@ tls.server.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.server.x509.issuer.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -8254,8 +8094,6 @@ tls.server.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.server.x509.subject.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -8380,8 +8218,6 @@ transaction.id:
   short: Unique identifier of the transaction within the scope of its trace.
   type: keyword
 url.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-domain
   description: 'Domain of the url, such as "www.elastic.co".
 
@@ -8430,8 +8266,6 @@ url.fragment:
   short: Portion of the url after the `#`.
   type: keyword
 url.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-full
   description: If full URLs are important to your use case, they should be stored
     in `url.full`, whether this field is reconstructed or present in the event source.
@@ -8448,8 +8282,6 @@ url.full:
   short: Full unparsed URL.
   type: wildcard
 url.original:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-original
   description: 'Unmodified original url as seen in the event source.
 
@@ -8480,8 +8312,6 @@ url.password:
   short: Password of the request.
   type: keyword
 url.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-path
   description: Path of the request, such as "/search".
   flat_name: url.path
@@ -8518,8 +8348,6 @@ url.query:
   short: Query string of the request.
   type: keyword
 url.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-registered-domain
   description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -8607,8 +8435,6 @@ user.changes.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.changes.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-changes-email
   description: User email address.
   flat_name: user.changes.email
@@ -8619,8 +8445,6 @@ user.changes.email:
   short: User email address.
   type: wildcard
 user.changes.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-changes-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8698,8 +8522,6 @@ user.changes.id:
   short: Unique identifier of the user.
   type: keyword
 user.changes.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-changes-name
   description: Short name or login of the user.
   example: albert
@@ -8754,8 +8576,6 @@ user.effective.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.effective.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-effective-email
   description: User email address.
   flat_name: user.effective.email
@@ -8766,8 +8586,6 @@ user.effective.email:
   short: User email address.
   type: wildcard
 user.effective.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-effective-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8845,8 +8663,6 @@ user.effective.id:
   short: Unique identifier of the user.
   type: keyword
 user.effective.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-effective-name
   description: Short name or login of the user.
   example: albert
@@ -8876,8 +8692,6 @@ user.effective.roles:
   short: Array of user roles at the time of the event.
   type: keyword
 user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-email
   description: User email address.
   flat_name: user.email
@@ -8887,8 +8701,6 @@ user.email:
   short: User email address.
   type: wildcard
 user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -8963,8 +8775,6 @@ user.id:
   short: Unique identifier of the user.
   type: keyword
 user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-name
   description: Short name or login of the user.
   example: albert
@@ -9005,8 +8815,6 @@ user.target.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.target.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-target-email
   description: User email address.
   flat_name: user.target.email
@@ -9017,8 +8825,6 @@ user.target.email:
   short: User email address.
   type: wildcard
 user.target.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-target-full-name
   description: User's full name, if available.
   example: Albert Einstein
@@ -9096,8 +8902,6 @@ user.target.id:
   short: Unique identifier of the user.
   type: keyword
 user.target.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-target-name
   description: Short name or login of the user.
   example: albert
@@ -9149,8 +8953,6 @@ user_agent.name:
   short: Name of the user agent.
   type: keyword
 user_agent.original:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-agent-original
   description: Unparsed user_agent string.
   example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
@@ -9179,8 +8981,6 @@ user_agent.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 user_agent.os.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-agent-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
@@ -9209,8 +9009,6 @@ user_agent.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 user_agent.os.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-agent-os-name
   description: Operating system name, without the version.
   example: Mac OS X
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index fcd725bb6b..ef1e3567d2 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -8,8 +8,6 @@ agent:
     event happened or the measurement was taken.'
   fields:
     agent.build.original:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: agent-build-original
       description: 'Extended build information for the agent.
 
@@ -120,8 +118,6 @@ as:
       short: Unique number allocated to the autonomous system.
       type: long
     as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: as-organization-name
       description: Organization name.
       example: Google LLC
@@ -277,8 +273,6 @@ client:
       short: Unique number allocated to the autonomous system.
       type: long
     client.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -306,8 +300,6 @@ client:
       short: Bytes sent from the client to the server.
       type: long
     client.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-domain
       description: Client domain.
       flat_name: client.domain
@@ -376,8 +368,6 @@ client:
       short: Longitude and latitude.
       type: geo_point
     client.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -483,8 +473,6 @@ client:
       short: Port of the client.
       type: long
     client.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-registered-domain
       description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -549,8 +537,6 @@ client:
       short: Name of the directory the user is a member of.
       type: keyword
     client.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-user-email
       description: User email address.
       flat_name: client.user.email
@@ -561,8 +547,6 @@ client:
       short: User email address.
       type: wildcard
     client.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -640,8 +624,6 @@ client:
       short: Unique identifier of the user.
       type: keyword
     client.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-user-name
       description: Short name or login of the user.
       example: albert
@@ -1106,8 +1088,6 @@ destination:
       short: Unique number allocated to the autonomous system.
       type: long
     destination.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -1135,8 +1115,6 @@ destination:
       short: Bytes sent from the destination to the source.
       type: long
     destination.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-domain
       description: Destination domain.
       flat_name: destination.domain
@@ -1205,8 +1183,6 @@ destination:
       short: Longitude and latitude.
       type: geo_point
     destination.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -1311,8 +1287,6 @@ destination:
       short: Port of the destination.
       type: long
     destination.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-registered-domain
       description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -1377,8 +1351,6 @@ destination:
       short: Name of the directory the user is a member of.
       type: keyword
     destination.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-user-email
       description: User email address.
       flat_name: destination.user.email
@@ -1389,8 +1361,6 @@ destination:
       short: User email address.
       type: wildcard
     destination.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -1468,8 +1438,6 @@ destination:
       short: Unique identifier of the user.
       type: keyword
     destination.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-user-name
       description: Short name or login of the user.
       example: albert
@@ -1744,8 +1712,6 @@ dll:
       short: A hash of the imports in a PE file.
       type: keyword
     dll.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -1827,8 +1793,6 @@ dns:
       short: The class of DNS data contained in this resource record.
       type: keyword
     dns.answers.data:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: dns-answers-data
       description: 'The data describing the resource.
 
@@ -1931,8 +1895,6 @@ dns:
       short: The class of records being queried.
       type: keyword
     dns.question.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: dns-question-name
       description: 'The name being queried.
 
@@ -2120,8 +2082,6 @@ error:
       short: Error message.
       type: text
     error.stack_trace:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: error-stack-trace
       description: The stack trace of this error in plain text.
       flat_name: error.stack_trace
@@ -2136,8 +2096,6 @@ error:
       short: The stack trace of this error in plain text.
       type: wildcard
     error.type:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: error-type
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
@@ -3075,8 +3033,6 @@ file:
       short: Device that is the source of the file.
       type: keyword
     file.directory:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-directory
       description: Directory where the file is located. It should include the drive
         letter, when appropriate.
@@ -3259,8 +3215,6 @@ file:
       short: File owner's username.
       type: keyword
     file.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-path
       description: Full path to the file, including the file name. It should include
         the drive letter, when appropriate.
@@ -3341,8 +3295,6 @@ file:
       short: A hash of the imports in a PE file.
       type: keyword
     file.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -3378,8 +3330,6 @@ file:
       short: File size in bytes.
       type: long
     file.target_path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-target-path
       description: Target path for symlinks.
       flat_name: file.target_path
@@ -3457,8 +3407,6 @@ file:
       short: List of country (C) codes
       type: keyword
     file.x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -3648,8 +3596,6 @@ file:
       short: List of country (C) code
       type: keyword
     file.x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -3809,8 +3755,6 @@ geo:
       short: Longitude and latitude.
       type: geo_point
     geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -4130,8 +4074,6 @@ host:
       short: Longitude and latitude.
       type: geo_point
     host.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -4173,8 +4115,6 @@ host:
       short: Region name.
       type: keyword
     host.hostname:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-hostname
       description: 'Hostname of the host.
 
@@ -4287,8 +4227,6 @@ host:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     host.os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -4317,8 +4255,6 @@ host:
       short: Operating system kernel version as a raw string.
       type: keyword
     host.os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -4416,8 +4352,6 @@ host:
       short: Name of the directory the user is a member of.
       type: keyword
     host.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-user-email
       description: User email address.
       flat_name: host.user.email
@@ -4428,8 +4362,6 @@ host:
       short: User email address.
       type: wildcard
     host.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -4507,8 +4439,6 @@ host:
       short: Unique identifier of the user.
       type: keyword
     host.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-user-name
       description: Short name or login of the user.
       example: albert
@@ -4573,8 +4503,6 @@ http:
       short: Size in bytes of the request body.
       type: long
     http.request.body.content:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: http-request-body-content
       description: The full HTTP request body.
       example: Hello world
@@ -4651,8 +4579,6 @@ http:
       short: Mime type of the body of the request.
       type: keyword
     http.request.referrer:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: http-request-referrer
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
@@ -4674,8 +4600,6 @@ http:
       short: Size in bytes of the response body.
       type: long
     http.response.body.content:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: http-response-body-content
       description: The full HTTP response body.
       example: Hello world
@@ -4813,8 +4737,6 @@ log:
     but rather in `event.*` or in other ECS fields.'
   fields:
     log.file.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: log-file-path
       description: 'Full path to the log file this event came from, including the
         file name. It should include the drive letter, when appropriate.
@@ -4845,8 +4767,6 @@ log:
       short: Log level of the log event.
       type: keyword
     log.logger:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: log-logger
       description: The name of the logger inside an application. This is usually the
         name of the class which initialized the logger, or can be a custom name.
@@ -5408,8 +5328,6 @@ observer:
       short: Longitude and latitude.
       type: geo_point
     observer.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: observer-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -5597,8 +5515,6 @@ observer:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     observer.os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: observer-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -5627,8 +5543,6 @@ observer:
       short: Operating system kernel version as a raw string.
       type: keyword
     observer.os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: observer-os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -5794,8 +5708,6 @@ organization:
       short: Unique identifier for the organization.
       type: keyword
     organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: organization-name
       description: Organization name.
       flat_name: organization.name
@@ -5830,8 +5742,6 @@ os:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -5858,8 +5768,6 @@ os:
       short: Operating system kernel version as a raw string.
       type: keyword
     os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -6159,8 +6067,6 @@ pe:
       short: A hash of the imports in a PE file.
       type: keyword
     pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -6304,8 +6210,6 @@ process:
         content.
       type: boolean
     process.command_line:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6343,8 +6247,6 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.executable:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
@@ -6428,8 +6330,6 @@ process:
       short: SSDEEP hash.
       type: keyword
     process.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-name
       description: 'Process name.
 
@@ -6546,8 +6446,6 @@ process:
         content.
       type: boolean
     process.parent.command_line:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6587,8 +6485,6 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.parent.executable:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
@@ -6674,8 +6570,6 @@ process:
       short: SSDEEP hash.
       type: keyword
     process.parent.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-name
       description: 'Process name.
 
@@ -6758,8 +6652,6 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.parent.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -6841,8 +6733,6 @@ process:
       short: Thread ID.
       type: long
     process.parent.thread.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-thread-name
       description: Thread name.
       example: thread-0
@@ -6854,8 +6744,6 @@ process:
       short: Thread name.
       type: wildcard
     process.parent.title:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-title
       description: 'Process title.
 
@@ -6885,8 +6773,6 @@ process:
       short: Seconds the process has been up.
       type: long
     process.parent.working_directory:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-working-directory
       description: The working directory of the process.
       example: /home/alice
@@ -6967,8 +6853,6 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
@@ -7045,8 +6929,6 @@ process:
       short: Thread ID.
       type: long
     process.thread.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-thread-name
       description: Thread name.
       example: thread-0
@@ -7057,8 +6939,6 @@ process:
       short: Thread name.
       type: wildcard
     process.title:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-title
       description: 'Process title.
 
@@ -7086,8 +6966,6 @@ process:
       short: Seconds the process has been up.
       type: long
     process.working_directory:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-working-directory
       description: The working directory of the process.
       example: /home/alice
@@ -7151,8 +7029,6 @@ registry:
       short: Original bytes written with base64 encoding.
       type: keyword
     registry.data.strings:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: registry-data-strings
       description: 'Content when writing string types.
 
@@ -7192,8 +7068,6 @@ registry:
       short: Abbreviated name for the hive.
       type: keyword
     registry.key:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: registry-key
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
@@ -7204,8 +7078,6 @@ registry:
       short: Hive-relative path of keys.
       type: wildcard
     registry.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: registry-path
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
@@ -7480,8 +7352,6 @@ server:
       short: Unique number allocated to the autonomous system.
       type: long
     server.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -7509,8 +7379,6 @@ server:
       short: Bytes sent from the server to the client.
       type: long
     server.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-domain
       description: Server domain.
       flat_name: server.domain
@@ -7579,8 +7447,6 @@ server:
       short: Longitude and latitude.
       type: geo_point
     server.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -7686,8 +7552,6 @@ server:
       short: Port of the server.
       type: long
     server.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-registered-domain
       description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -7752,8 +7616,6 @@ server:
       short: Name of the directory the user is a member of.
       type: keyword
     server.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-user-email
       description: User email address.
       flat_name: server.user.email
@@ -7764,8 +7626,6 @@ server:
       short: User email address.
       type: wildcard
     server.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -7843,8 +7703,6 @@ server:
       short: Unique identifier of the user.
       type: keyword
     server.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-user-name
       description: Short name or login of the user.
       example: albert
@@ -8057,8 +7915,6 @@ source:
       short: Unique number allocated to the autonomous system.
       type: long
     source.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-as-organization-name
       description: Organization name.
       example: Google LLC
@@ -8086,8 +7942,6 @@ source:
       short: Bytes sent from the source to the destination.
       type: long
     source.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-domain
       description: Source domain.
       flat_name: source.domain
@@ -8156,8 +8010,6 @@ source:
       short: Longitude and latitude.
       type: geo_point
     source.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -8263,8 +8115,6 @@ source:
       short: Port of the source.
       type: long
     source.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-registered-domain
       description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -8329,8 +8179,6 @@ source:
       short: Name of the directory the user is a member of.
       type: keyword
     source.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-user-email
       description: User email address.
       flat_name: source.user.email
@@ -8341,8 +8189,6 @@ source:
       short: User email address.
       type: wildcard
     source.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -8420,8 +8266,6 @@ source:
       short: Unique identifier of the user.
       type: keyword
     source.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-user-name
       description: Short name or login of the user.
       example: albert
@@ -8714,8 +8558,6 @@ tls:
         of certificate offered by the client.
       type: keyword
     tls.client.issuer:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-issuer
       description: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
@@ -8776,8 +8618,6 @@ tls:
       short: Hostname the client is trying to connect to. Also called the SNI.
       type: keyword
     tls.client.subject:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-subject
       description: Distinguished name of subject of the x.509 certificate presented
         by the client.
@@ -8844,8 +8684,6 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.client.x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -9035,8 +8873,6 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.client.x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -9227,8 +9063,6 @@ tls:
         of certificate offered by the server.
       type: keyword
     tls.server.issuer:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-issuer
       description: Subject of the issuer of the x.509 certificate presented by the
         server.
@@ -9275,8 +9109,6 @@ tls:
       short: Timestamp indicating when server certificate is first considered valid.
       type: date
     tls.server.subject:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-subject
       description: Subject of the x.509 certificate presented by the server.
       example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
@@ -9328,8 +9160,6 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.server.x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -9519,8 +9349,6 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.server.x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
@@ -9696,8 +9524,6 @@ url:
     the breaking down into scheme, domain, path, and so on.
   fields:
     url.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-domain
       description: 'Domain of the url, such as "www.elastic.co".
 
@@ -9747,8 +9573,6 @@ url:
       short: Portion of the url after the `#`.
       type: keyword
     url.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-full
       description: If full URLs are important to your use case, they should be stored
         in `url.full`, whether this field is reconstructed or present in the event
@@ -9766,8 +9590,6 @@ url:
       short: Full unparsed URL.
       type: wildcard
     url.original:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-original
       description: 'Unmodified original url as seen in the event source.
 
@@ -9798,8 +9620,6 @@ url:
       short: Password of the request.
       type: keyword
     url.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-path
       description: Path of the request, such as "/search".
       flat_name: url.path
@@ -9836,8 +9656,6 @@ url:
       short: Query string of the request.
       type: keyword
     url.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-registered-domain
       description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -9938,8 +9756,6 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.changes.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-changes-email
       description: User email address.
       flat_name: user.changes.email
@@ -9950,8 +9766,6 @@ user:
       short: User email address.
       type: wildcard
     user.changes.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-changes-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -10029,8 +9843,6 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.changes.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-changes-name
       description: Short name or login of the user.
       example: albert
@@ -10085,8 +9897,6 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.effective.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-effective-email
       description: User email address.
       flat_name: user.effective.email
@@ -10097,8 +9907,6 @@ user:
       short: User email address.
       type: wildcard
     user.effective.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-effective-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -10176,8 +9984,6 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.effective.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-effective-name
       description: Short name or login of the user.
       example: albert
@@ -10207,8 +10013,6 @@ user:
       short: Array of user roles at the time of the event.
       type: keyword
     user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-email
       description: User email address.
       flat_name: user.email
@@ -10218,8 +10022,6 @@ user:
       short: User email address.
       type: wildcard
     user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -10294,8 +10096,6 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-name
       description: Short name or login of the user.
       example: albert
@@ -10336,8 +10136,6 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.target.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-target-email
       description: User email address.
       flat_name: user.target.email
@@ -10348,8 +10146,6 @@ user:
       short: User email address.
       type: wildcard
     user.target.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-target-full-name
       description: User's full name, if available.
       example: Albert Einstein
@@ -10427,8 +10223,6 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.target.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-target-name
       description: Short name or login of the user.
       example: albert
@@ -10542,8 +10336,6 @@ user_agent:
       short: Name of the user agent.
       type: keyword
     user_agent.original:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-agent-original
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
@@ -10572,8 +10364,6 @@ user_agent:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     user_agent.os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-agent-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
@@ -10602,8 +10392,6 @@ user_agent:
       short: Operating system kernel version as a raw string.
       type: keyword
     user_agent.os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-agent-os-name
       description: Operating system name, without the version.
       example: Mac OS X
@@ -10984,8 +10772,6 @@ x509:
       short: List of country (C) codes
       type: keyword
     x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
@@ -11160,8 +10946,6 @@ x509:
       short: List of country (C) code
       type: keyword
     x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml
new file mode 100644
index 0000000000..d09e77111d
--- /dev/null
+++ b/experimental/schemas/agent.yml
@@ -0,0 +1,5 @@
+---
+- name: agent
+  fields:
+    - name: build.original
+      type: wildcard
diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml
new file mode 100644
index 0000000000..96cf45621c
--- /dev/null
+++ b/experimental/schemas/as.yml
@@ -0,0 +1,5 @@
+---
+- name: as
+  fields:
+    - name: organization.name
+      type: wildcard
diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml
new file mode 100644
index 0000000000..14ed3a9a37
--- /dev/null
+++ b/experimental/schemas/client.yml
@@ -0,0 +1,7 @@
+---
+  - name: client
+    fields:
+      - name: domain
+        type: wildcard
+      - name: registered_domain
+        type: wildcard
diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml
new file mode 100644
index 0000000000..d64a84c6be
--- /dev/null
+++ b/experimental/schemas/destination.yml
@@ -0,0 +1,7 @@
+---
+  - name: destination
+    fields:
+      - name: domain
+        type: wildcard
+      - name: registered_domain
+        type: wildcard
diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml
new file mode 100644
index 0000000000..466859c09f
--- /dev/null
+++ b/experimental/schemas/dns.yml
@@ -0,0 +1,9 @@
+---
+- name: dns
+  fields:
+    - name: question.name
+      type: wildcard
+    - name: answers
+      type: object
+    - name: answers.data
+      type: wildcard
diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml
new file mode 100644
index 0000000000..f2004d3fe0
--- /dev/null
+++ b/experimental/schemas/error.yml
@@ -0,0 +1,9 @@
+---
+- name: error
+  fields:
+    - name: stack_trace
+      index: true
+      type: wildcard
+
+    - name: type
+      type: wildcard
diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml
new file mode 100644
index 0000000000..f4938d38be
--- /dev/null
+++ b/experimental/schemas/file.yml
@@ -0,0 +1,9 @@
+---
+- name: file
+  fields:
+    - name: directory
+      type: wildcard
+    - name: path
+      type: wildcard
+    - name: target_path
+      type: wildcard
diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml
new file mode 100644
index 0000000000..d3445a5a2b
--- /dev/null
+++ b/experimental/schemas/geo.yml
@@ -0,0 +1,5 @@
+---
+  - name: geo
+    fields:
+      - name: name
+        type: wildcard
diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml
index eabc2f9af8..b7b57cfc09 100644
--- a/experimental/schemas/host.yml
+++ b/experimental/schemas/host.yml
@@ -60,3 +60,6 @@
       description: >
         The total number of bytes (gauge) written successfully (aggregated from
         all disks) since the last metric collection.
+
+    - name: hostname
+      type: wildcard
diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml
new file mode 100644
index 0000000000..1722cdc5e7
--- /dev/null
+++ b/experimental/schemas/http.yml
@@ -0,0 +1,9 @@
+---
+- name: http
+  fields:
+    - name: request.body.content
+      type: wildcard
+    - name: request.referrer
+      type: wildcard
+    - name: response.body.content
+      type: wildcard
diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml
new file mode 100644
index 0000000000..8a2f2dd397
--- /dev/null
+++ b/experimental/schemas/log.yml
@@ -0,0 +1,7 @@
+---
+- name: log
+  fields:
+    - name: file.path
+      type: wildcard
+    - name: logger
+      type: wildcard
diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml
new file mode 100644
index 0000000000..594581413b
--- /dev/null
+++ b/experimental/schemas/organization.yml
@@ -0,0 +1,5 @@
+---
+- name: organization
+  fields:
+    - name: name
+      type: wildcard
diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml
new file mode 100644
index 0000000000..ec9d71a79c
--- /dev/null
+++ b/experimental/schemas/os.yml
@@ -0,0 +1,7 @@
+---
+- name: os
+  fields:
+    - name: name
+      type: wildcard
+    - name: full
+      type: wildcard
diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml
new file mode 100644
index 0000000000..77a0574348
--- /dev/null
+++ b/experimental/schemas/pe.yml
@@ -0,0 +1,5 @@
+---
+- name: pe
+  fields:
+    - name: original_file_name
+      type: wildcard
diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml
new file mode 100644
index 0000000000..e759e97e86
--- /dev/null
+++ b/experimental/schemas/process.yml
@@ -0,0 +1,15 @@
+---
+- name: process
+  fields:
+    - name: command_line
+      type: wildcard
+    - name: executable
+      type: wildcard
+    - name: name
+      type: wildcard
+    - name: thread.name
+      type: wildcard
+    - name: title
+      type: wildcard
+    - name: working_directory
+      type: wildcard
diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml
new file mode 100644
index 0000000000..66f6f6b22c
--- /dev/null
+++ b/experimental/schemas/registry.yml
@@ -0,0 +1,9 @@
+---
+- name: registry
+  fields:
+    - name: key
+      type: wildcard
+    - name: path
+      type: wildcard
+    - name: data.strings
+      type: wildcard
diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml
new file mode 100644
index 0000000000..70c285f374
--- /dev/null
+++ b/experimental/schemas/server.yml
@@ -0,0 +1,7 @@
+---
+  - name: server
+    fields:
+      - name: domain
+        type: wildcard
+      - name: registered_domain
+        type: wildcard
diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml
new file mode 100644
index 0000000000..d810a6cb79
--- /dev/null
+++ b/experimental/schemas/source.yml
@@ -0,0 +1,7 @@
+---
+- name: source
+  fields:
+    - name: domain
+      type: wildcard
+    - name: registered_domain
+      type: wildcard
diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml
new file mode 100644
index 0000000000..4f5378a313
--- /dev/null
+++ b/experimental/schemas/tls.yml
@@ -0,0 +1,11 @@
+---
+- name: tls
+  fields:
+    - name: client.issuer
+      type: wildcard
+    - name: client.subject
+      type: wildcard
+    - name: server.issuer
+      type: wildcard
+    - name: server.subject
+      type: wildcard
diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml
new file mode 100644
index 0000000000..0d5f66c36a
--- /dev/null
+++ b/experimental/schemas/url.yml
@@ -0,0 +1,13 @@
+---
+- name: url
+  fields:
+    - name: original
+      type: wildcard
+    - name: full
+      type: wildcard
+    - name: path
+      type: wildcard
+    - name: domain
+      type: wildcard
+    - name: registered_domain
+      type: wildcard
diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml
new file mode 100644
index 0000000000..89e182fbee
--- /dev/null
+++ b/experimental/schemas/user.yml
@@ -0,0 +1,9 @@
+---
+- name: user
+  fields:
+    - name: name
+      type: wildcard
+    - name: full_name
+      type: wildcard
+    - name: email
+      type: wildcard
diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml
new file mode 100644
index 0000000000..c413a9d702
--- /dev/null
+++ b/experimental/schemas/user_agent.yml
@@ -0,0 +1,5 @@
+---
+- name: user_agent
+  fields:
+    - name: original
+      type: wildcard
diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml
new file mode 100644
index 0000000000..d1c7d8af6b
--- /dev/null
+++ b/experimental/schemas/x509.yml
@@ -0,0 +1,7 @@
+---
+- name: x509
+  fields:
+    - name: issuer.distinguished_name
+      type: wildcard
+    - name: subject.distinguished_name
+      type: wildcard
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 75b3f4a862..1c6cea3a9a 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -66,7 +66,8 @@
     fields:
     - name: build.original
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'Extended build information for the agent.
 
         This field is intended to contain any build information that a data source
@@ -135,7 +136,8 @@
       example: 15169
     - name: organization.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -181,7 +183,8 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -197,7 +200,8 @@
       example: 184
     - name: domain
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Client domain.
     - name: geo.city_name
       level: core
@@ -230,7 +234,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -287,7 +292,8 @@
       description: Port of the client.
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The highest registered client domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -331,11 +337,13 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
     - name: user.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -376,7 +384,8 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -607,7 +616,8 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -623,7 +633,8 @@
       example: 184
     - name: domain
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Destination domain.
     - name: geo.city_name
       level: core
@@ -656,7 +667,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -712,7 +724,8 @@
       description: Port of the destination.
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The highest registered destination domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -756,11 +769,13 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
     - name: user.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -801,7 +816,8 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -962,7 +978,8 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -1005,7 +1022,8 @@
       example: IN
     - name: answers.data
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The data describing the resource.
 
         The meaning of this data depends on the type and class of the resource record.'
@@ -1064,7 +1082,8 @@
       example: IN
     - name: question.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The name being queried.
 
         If the name field contains non-printable characters (below 32 or above 126),
@@ -1183,16 +1202,19 @@
       description: Error message.
     - name: stack_trace
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
         norms: false
         default_field: false
       description: The stack trace of this error in plain text.
+      index: false
     - name: type
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
   - name: event
@@ -1581,7 +1603,8 @@
       example: sda
     - name: directory
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Directory where the file is located. It should include the drive
         letter, when appropriate.
       example: /home/alice
@@ -1681,7 +1704,8 @@
       example: alice
     - name: path
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -1731,7 +1755,8 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -1751,7 +1776,8 @@
       example: 16384
     - name: target_path
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -1795,7 +1821,8 @@
       default_field: false
     - name: x509.issuer.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -1901,7 +1928,8 @@
       default_field: false
     - name: x509.subject.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
@@ -1980,7 +2008,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -2124,7 +2153,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -2147,7 +2177,8 @@
       example: Quebec
     - name: hostname
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'Hostname of the host.
 
         It normally contains what the `hostname` command returns on the host machine.'
@@ -2186,7 +2217,8 @@
       example: debian
     - name: os.full
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2202,7 +2234,8 @@
       example: 4.4.0-112-generic
     - name: os.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2260,11 +2293,13 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
     - name: user.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2305,7 +2340,8 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2335,7 +2371,8 @@
       example: 887
     - name: request.body.content
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2388,7 +2425,8 @@
       default_field: false
     - name: request.referrer
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
     - name: response.body.bytes
@@ -2399,7 +2437,8 @@
       example: 887
     - name: response.body.content
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2485,7 +2524,8 @@
     fields:
     - name: file.path
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'Full path to the log file this event came from, including the
         file name. It should include the drive letter, when appropriate.
 
@@ -2506,7 +2546,8 @@
       example: error
     - name: logger
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: The name of the logger inside an application. This is usually the
         name of the class which initialized the logger, or can be a custom name.
       example: org.elasticsearch.bootstrap.Bootstrap
@@ -2852,7 +2893,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -2960,7 +3002,8 @@
       example: debian
     - name: os.full
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -2976,7 +3019,8 @@
       example: 4.4.0-112-generic
     - name: os.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3059,7 +3103,8 @@
       description: Unique identifier for the organization.
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3080,7 +3125,8 @@
       example: debian
     - name: full
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3096,7 +3142,8 @@
       example: 4.4.0-112-generic
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3276,7 +3323,8 @@
       default_field: false
     - name: original_file_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3360,7 +3408,8 @@
       default_field: false
     - name: command_line
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3388,7 +3437,8 @@
       default_field: false
     - name: executable
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3433,7 +3483,8 @@
       default_field: false
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3507,7 +3558,8 @@
       default_field: false
     - name: parent.command_line
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3535,7 +3587,8 @@
       default_field: false
     - name: parent.executable
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3584,7 +3637,8 @@
       default_field: false
     - name: parent.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3635,7 +3689,8 @@
       default_field: false
     - name: parent.pe.original_file_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3681,13 +3736,15 @@
       default_field: false
     - name: parent.thread.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Thread name.
       example: thread-0
       default_field: false
     - name: parent.title
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3705,7 +3762,8 @@
       default_field: false
     - name: parent.working_directory
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3754,7 +3812,8 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3795,12 +3854,14 @@
       example: 4242
     - name: thread.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Thread name.
       example: thread-0
     - name: title
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3817,7 +3878,8 @@
       example: 1325
     - name: working_directory
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -3844,7 +3906,8 @@
       default_field: false
     - name: data.strings
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'Content when writing string types.
 
         Populated as an array when writing string data to the registry. For single
@@ -3870,13 +3933,15 @@
       default_field: false
     - name: key
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
     - name: path
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
         Options\winword.exe\Debugger
@@ -4061,7 +4126,8 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -4077,7 +4143,8 @@
       example: 184
     - name: domain
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Server domain.
     - name: geo.city_name
       level: core
@@ -4110,7 +4177,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -4167,7 +4235,8 @@
       description: Port of the server.
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The highest registered server domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -4211,11 +4280,13 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
     - name: user.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -4256,7 +4327,8 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -4390,7 +4462,8 @@
       example: 15169
     - name: as.organization.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -4406,7 +4479,8 @@
       example: 184
     - name: domain
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Source domain.
     - name: geo.city_name
       level: core
@@ -4439,7 +4513,8 @@
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
     - name: geo.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'User-defined description of a location, at the level of granularity
         they care about.
 
@@ -4496,7 +4571,8 @@
       description: Port of the source.
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The highest registered source domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -4540,11 +4616,13 @@
         For example, an LDAP or Active Directory domain name.'
     - name: user.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
     - name: user.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -4585,7 +4663,8 @@
       description: Unique identifier of the user.
     - name: user.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -4759,7 +4838,8 @@
       default_field: false
     - name: client.issuer
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
@@ -4797,7 +4877,8 @@
       default_field: false
     - name: client.subject
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name of subject of the x.509 certificate presented
         by the client.
       example: CN=myclient, OU=Documentation Team, DC=example, DC=com
@@ -4835,7 +4916,8 @@
       default_field: false
     - name: client.x509.issuer.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -4941,7 +5023,8 @@
       default_field: false
     - name: client.x509.subject.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
@@ -5054,7 +5137,8 @@
       default_field: false
     - name: server.issuer
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Subject of the issuer of the x.509 certificate presented by the
         server.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
@@ -5083,7 +5167,8 @@
       default_field: false
     - name: server.subject
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Subject of the x.509 certificate presented by the server.
       example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
@@ -5112,7 +5197,8 @@
       default_field: false
     - name: server.x509.issuer.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -5218,7 +5304,8 @@
       default_field: false
     - name: server.x509.subject.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
@@ -5307,7 +5394,8 @@
     fields:
     - name: domain
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'Domain of the url, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a domain
@@ -5341,7 +5429,8 @@
         The `#` is not part of the fragment.'
     - name: full
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5353,7 +5442,8 @@
       example: https://www.elastic.co:443/search?q=elasticsearch#top
     - name: original
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5373,7 +5463,8 @@
       description: Password of the request.
     - name: path
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Path of the request, such as "/search".
     - name: port
       level: extended
@@ -5394,7 +5485,8 @@
         the two cases.'
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: 'The highest registered url domain, stripped of the subdomain.
 
         For example, the registered domain for "foo.example.com" is "example.com".
@@ -5462,12 +5554,14 @@
       default_field: false
     - name: changes.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
       default_field: false
     - name: changes.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5513,7 +5607,8 @@
       default_field: false
     - name: changes.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5545,12 +5640,14 @@
       default_field: false
     - name: effective.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
       default_field: false
     - name: effective.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5596,7 +5693,8 @@
       default_field: false
     - name: effective.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5613,11 +5711,13 @@
       default_field: false
     - name: email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
     - name: full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5658,7 +5758,8 @@
       description: Unique identifier of the user.
     - name: name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5683,12 +5784,14 @@
       default_field: false
     - name: target.email
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: User email address.
       default_field: false
     - name: target.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5734,7 +5837,8 @@
       default_field: false
     - name: target.name
       level: core
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5771,7 +5875,8 @@
       example: Safari
     - name: original
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5787,7 +5892,8 @@
       example: debian
     - name: os.full
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -5803,7 +5909,8 @@
       example: 4.4.0-112-generic
     - name: os.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: text
@@ -6050,7 +6157,8 @@
       default_field: false
     - name: issuer.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
@@ -6156,7 +6264,8 @@
       default_field: false
     - name: subject.distinguished_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 68c90ecb74..a71bdc558e 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -3,7 +3,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
 1.9.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
 1.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.9.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.9.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
 1.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
 1.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
 1.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
@@ -11,16 +11,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
 1.9.0-dev,true,client,client.address,keyword,extended,,,Client network address.
 1.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
 1.9.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.9.0-dev,true,client,client.domain,wildcard,core,,,Client domain.
+1.9.0-dev,true,client,client.domain,keyword,core,,,Client domain.
 1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
 1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
 1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
@@ -29,19 +29,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
 1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
 1.9.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.9.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.9.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
 1.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,client,client.user.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+1.9.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
@@ -63,16 +63,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
 1.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
 1.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
 1.9.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.9.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.9.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
 1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
 1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
 1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
@@ -81,19 +81,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
 1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
 1.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.9.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.9.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
 1.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+1.9.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
@@ -113,11 +113,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 1.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.9.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.9.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
 1.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
 1.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
 1.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
@@ -125,7 +125,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
 1.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
 1.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.9.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.9.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
 1.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
 1.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
 1.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
@@ -137,9 +137,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
 1.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
 1.9.0-dev,true,error,error.message,text,core,,,Error message.
-1.9.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-1.9.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.9.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.9.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
+1.9.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.9.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
 1.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
 1.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
 1.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
@@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,file,file.created,date,extended,,,File creation time.
 1.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
 1.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.9.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.9.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
 1.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
 1.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
 1.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
@@ -191,24 +191,24 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
 1.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
 1.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.9.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.9.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.9.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.9.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
 1.9.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
 1.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
 1.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
 1.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
 1.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
 1.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
 1.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
@@ -223,7 +223,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
 1.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
 1.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
 1.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
 1.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
 1.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
@@ -239,19 +239,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
 1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
 1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
 1.9.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
 1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
 1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 1.9.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 1.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
@@ -259,35 +259,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,host,host.type,keyword,core,,,Type of host.
 1.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
 1.9.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,host,host.user.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
+1.9.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.9.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
 1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
 1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
 1.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
 1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
 1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.9.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.9.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
 1.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.9.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.9.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
 1.9.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
 1.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
 1.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
 1.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
 1.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.9.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.9.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
 1.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.9.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.9.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
 1.9.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
 1.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
 1.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
@@ -326,7 +326,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
 1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
@@ -341,10 +341,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
 1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
 1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 1.9.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 1.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
@@ -355,7 +355,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
 1.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
 1.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.9.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.9.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
 1.9.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
 1.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
 1.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
@@ -377,10 +377,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.9.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.9.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.9.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
 1.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
@@ -388,7 +388,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
 1.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.9.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -397,10 +397,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.9.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.9.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.9.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
 1.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
@@ -408,50 +408,50 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
 1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
 1.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.9.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
 1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.9.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 1.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
 1.9.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
 1.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 1.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.9.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
-1.9.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.9.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.9.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
 1.9.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
 1.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.9.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 1.9.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
 1.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 1.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 1.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 1.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 1.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 1.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.9.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 1.9.0-dev,true,process,process.pid,long,core,,4242,Process id.
 1.9.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
 1.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 1.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.9.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
-1.9.0-dev,true,process,process.title,wildcard,extended,,,Process title.
+1.9.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.9.0-dev,true,process,process.title,keyword,extended,,,Process title.
 1.9.0-dev,true,process,process.title.text,text,extended,,,Process title.
 1.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.9.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 1.9.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
 1.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.9.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
 1.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
 1.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.9.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.9.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
 1.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
@@ -469,16 +469,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
 1.9.0-dev,true,server,server.address,keyword,extended,,,Server network address.
 1.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
 1.9.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.9.0-dev,true,server,server.domain,wildcard,core,,,Server domain.
+1.9.0-dev,true,server,server.domain,keyword,core,,,Server domain.
 1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
 1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
 1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
@@ -487,19 +487,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
 1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
 1.9.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.9.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.9.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
 1.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,server,server.user.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+1.9.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
@@ -511,16 +511,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
 1.9.0-dev,true,source,source.address,keyword,extended,,,Source network address.
 1.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
 1.9.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
 1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.9.0-dev,true,source,source.domain,wildcard,core,,,Source domain.
+1.9.0-dev,true,source,source.domain,keyword,core,,,Source domain.
 1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
 1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
 1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
@@ -529,19 +529,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
 1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
 1.9.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.9.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.9.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
 1.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,source,source.user.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+1.9.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
@@ -563,17 +563,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
 1.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
 1.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.9.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
 1.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
 1.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
 1.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
 1.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.9.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.9.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
 1.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
 1.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
 1.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
 1.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
 1.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
@@ -588,7 +588,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
 1.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
 1.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
 1.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
 1.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
 1.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
@@ -603,15 +603,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
 1.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
 1.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.9.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
 1.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
 1.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
 1.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.9.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.9.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
 1.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
 1.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
 1.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
 1.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
 1.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
 1.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
@@ -626,7 +626,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
 1.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
 1.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
 1.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
 1.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
 1.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
@@ -636,79 +636,79 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
 1.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
 1.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.9.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.9.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
 1.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
 1.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.9.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
 1.9.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.9.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
 1.9.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
 1.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.9.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.9.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
 1.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
 1.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.9.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.9.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 1.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
 1.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
 1.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
 1.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+1.9.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 1.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+1.9.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,user,user.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.email,keyword,extended,,,User email address.
+1.9.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.target.email,wildcard,extended,,,User email address.
-1.9.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+1.9.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
 1.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 1.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 1.9.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 1.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.9.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
 1.9.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
 1.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
 1.9.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
 1.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
 1.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index f30e8aced4..1af94d22d3 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -18,8 +18,6 @@
   short: Date/time when the event originated.
   type: date
 agent.build.original:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: agent-build-original
   description: 'Extended build information for the agent.
 
@@ -28,11 +26,12 @@ agent.build.original:
   example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
     built 2020-02-05 23:10:10 +0000 UTC]
   flat_name: agent.build.original
+  ignore_above: 1024
   level: core
   name: build.original
   normalize: []
   short: Extended build information for the agent.
-  type: wildcard
+  type: keyword
 agent.ephemeral_id:
   dashed_name: agent-ephemeral-id
   description: 'Ephemeral identifier of this agent (if one exists).
@@ -130,12 +129,11 @@ client.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 client.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: client.as.organization.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: client.as.organization.name.text
@@ -146,7 +144,7 @@ client.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: wildcard
+  type: keyword
 client.bytes:
   dashed_name: client-bytes
   description: Bytes sent from the client to the server.
@@ -159,16 +157,15 @@ client.bytes:
   short: Bytes sent from the client to the server.
   type: long
 client.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-domain
   description: Client domain.
   flat_name: client.domain
+  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Client domain.
-  type: wildcard
+  type: keyword
 client.geo.city_name:
   dashed_name: client-geo-city-name
   description: City name.
@@ -229,8 +226,6 @@ client.geo.location:
   short: Longitude and latitude.
   type: geo_point
 client.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -241,12 +236,13 @@ client.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: client.geo.name
+  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: wildcard
+  type: keyword
 client.geo.region_iso_code:
   dashed_name: client-geo-region-iso-code
   description: Region ISO code.
@@ -336,8 +332,6 @@ client.port:
   short: Port of the client.
   type: long
 client.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-registered-domain
   description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -348,11 +342,12 @@ client.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: client.registered_domain
+  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered client domain, stripped of the subdomain.
-  type: wildcard
+  type: keyword
 client.subdomain:
   dashed_name: client-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -402,24 +397,22 @@ client.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 client.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-user-email
   description: User email address.
   flat_name: client.user.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 client.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: client.user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: client.user.full_name.text
@@ -430,7 +423,7 @@ client.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 client.user.group.domain:
   dashed_name: client-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -493,12 +486,11 @@ client.user.id:
   short: Unique identifier of the user.
   type: keyword
 client.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: client-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: client.user.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: client.user.name.text
@@ -509,7 +501,7 @@ client.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -748,12 +740,11 @@ destination.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 destination.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: destination.as.organization.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: destination.as.organization.name.text
@@ -764,7 +755,7 @@ destination.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: wildcard
+  type: keyword
 destination.bytes:
   dashed_name: destination-bytes
   description: Bytes sent from the destination to the source.
@@ -777,16 +768,15 @@ destination.bytes:
   short: Bytes sent from the destination to the source.
   type: long
 destination.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-domain
   description: Destination domain.
   flat_name: destination.domain
+  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Destination domain.
-  type: wildcard
+  type: keyword
 destination.geo.city_name:
   dashed_name: destination-geo-city-name
   description: City name.
@@ -847,8 +837,6 @@ destination.geo.location:
   short: Longitude and latitude.
   type: geo_point
 destination.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -859,12 +847,13 @@ destination.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: destination.geo.name
+  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: wildcard
+  type: keyword
 destination.geo.region_iso_code:
   dashed_name: destination-geo-region-iso-code
   description: Region ISO code.
@@ -953,8 +942,6 @@ destination.port:
   short: Port of the destination.
   type: long
 destination.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-registered-domain
   description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -965,11 +952,12 @@ destination.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: destination.registered_domain
+  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered destination domain, stripped of the subdomain.
-  type: wildcard
+  type: keyword
 destination.subdomain:
   dashed_name: destination-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -1019,24 +1007,22 @@ destination.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 destination.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-user-email
   description: User email address.
   flat_name: destination.user.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 destination.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: destination.user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: destination.user.full_name.text
@@ -1047,7 +1033,7 @@ destination.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 destination.user.group.domain:
   dashed_name: destination-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -1110,12 +1096,11 @@ destination.user.id:
   short: Unique identifier of the user.
   type: keyword
 destination.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: destination-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: destination.user.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: destination.user.name.text
@@ -1126,7 +1111,7 @@ destination.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -1352,18 +1337,17 @@ dll.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 dll.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: dll.pe.original_file_name
+  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: wildcard
+  type: keyword
 dll.pe.product:
   dashed_name: dll-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -1407,19 +1391,18 @@ dns.answers.class:
   short: The class of DNS data contained in this resource record.
   type: keyword
 dns.answers.data:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: dns-answers-data
   description: 'The data describing the resource.
 
     The meaning of this data depends on the type and class of the resource record.'
   example: 10.10.10.10
   flat_name: dns.answers.data
+  ignore_above: 1024
   level: extended
   name: answers.data
   normalize: []
   short: The data describing the resource.
-  type: wildcard
+  type: keyword
 dns.answers.name:
   dashed_name: dns-answers-name
   description: 'The domain name to which this resource record pertains.
@@ -1509,8 +1492,6 @@ dns.question.class:
   short: The class of records being queried.
   type: keyword
 dns.question.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: dns-question-name
   description: 'The name being queried.
 
@@ -1520,11 +1501,12 @@ dns.question.name:
     converted to \t, \r, and \n respectively.'
   example: www.example.com
   flat_name: dns.question.name
+  ignore_above: 1024
   level: extended
   name: question.name
   normalize: []
   short: The name being queried.
-  type: wildcard
+  type: keyword
 dns.question.registered_domain:
   dashed_name: dns-question-registered-domain
   description: 'The highest registered domain, stripped of the subdomain.
@@ -1677,11 +1659,12 @@ error.message:
   short: Error message.
   type: text
 error.stack_trace:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: error-stack-trace
   description: The stack trace of this error in plain text.
+  doc_values: false
   flat_name: error.stack_trace
+  ignore_above: 1024
+  index: false
   level: extended
   multi_fields:
   - flat_name: error.stack_trace.text
@@ -1691,19 +1674,18 @@ error.stack_trace:
   name: stack_trace
   normalize: []
   short: The stack trace of this error in plain text.
-  type: wildcard
+  type: keyword
 error.type:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: error-type
   description: The type of the error, for example the class name of the exception.
   example: java.lang.NullPointerException
   flat_name: error.type
+  ignore_above: 1024
   level: extended
   name: type
   normalize: []
   short: The type of the error, for example the class name of the exception.
-  type: wildcard
+  type: keyword
 event.action:
   dashed_name: event-action
   description: 'The action captured by the event.
@@ -2581,18 +2563,17 @@ file.device:
   short: Device that is the source of the file.
   type: keyword
 file.directory:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-directory
   description: Directory where the file is located. It should include the drive letter,
     when appropriate.
   example: /home/alice
   flat_name: file.directory
+  ignore_above: 1024
   level: extended
   name: directory
   normalize: []
   short: Directory where the file is located.
-  type: wildcard
+  type: keyword
 file.drive_letter:
   dashed_name: file-drive-letter
   description: 'Drive letter where the file is located. This field is only relevant
@@ -2765,13 +2746,12 @@ file.owner:
   short: File owner's username.
   type: keyword
 file.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-path
   description: Full path to the file, including the file name. It should include the
     drive letter, when appropriate.
   example: /home/alice/example.png
   flat_name: file.path
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: file.path.text
@@ -2781,7 +2761,7 @@ file.path:
   name: path
   normalize: []
   short: Full path to the file, including the file name.
-  type: wildcard
+  type: keyword
 file.pe.architecture:
   dashed_name: file-pe-architecture
   description: CPU architecture target for the file.
@@ -2847,18 +2827,17 @@ file.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 file.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: file.pe.original_file_name
+  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: wildcard
+  type: keyword
 file.pe.product:
   dashed_name: file-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -2884,11 +2863,10 @@ file.size:
   short: File size in bytes.
   type: long
 file.target_path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-target-path
   description: Target path for symlinks.
   flat_name: file.target_path
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: file.target_path.text
@@ -2898,7 +2876,7 @@ file.target_path:
   name: target_path
   normalize: []
   short: Target path for symlinks.
-  type: wildcard
+  type: keyword
 file.type:
   dashed_name: file-type
   description: File type (file, dir, or symlink).
@@ -2963,19 +2941,18 @@ file.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 file.x509.issuer.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
     Server CA
   flat_name: file.x509.issuer.distinguished_name
+  ignore_above: 1024
   level: extended
   name: issuer.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of issuing certificate authority.
-  type: wildcard
+  type: keyword
 file.x509.issuer.locality:
   dashed_name: file-x509-issuer-locality
   description: List of locality names (L)
@@ -3154,18 +3131,17 @@ file.x509.subject.country:
   short: List of country (C) code
   type: keyword
 file.x509.subject.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: file-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
   flat_name: file.x509.subject.distinguished_name
+  ignore_above: 1024
   level: extended
   name: subject.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of the certificate subject entity.
-  type: wildcard
+  type: keyword
 file.x509.subject.locality:
   dashed_name: file-x509-subject-locality
   description: List of locality names (L)
@@ -3346,8 +3322,6 @@ host.geo.location:
   short: Longitude and latitude.
   type: geo_point
 host.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -3358,12 +3332,13 @@ host.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: host.geo.name
+  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: wildcard
+  type: keyword
 host.geo.region_iso_code:
   dashed_name: host-geo-region-iso-code
   description: Region ISO code.
@@ -3389,18 +3364,17 @@ host.geo.region_name:
   short: Region name.
   type: keyword
 host.hostname:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-hostname
   description: 'Hostname of the host.
 
     It normally contains what the `hostname` command returns on the host machine.'
   flat_name: host.hostname
+  ignore_above: 1024
   level: core
   name: hostname
   normalize: []
   short: Hostname of the host.
-  type: wildcard
+  type: keyword
 host.id:
   dashed_name: host-id
   description: 'Unique host id.
@@ -3462,12 +3436,11 @@ host.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 host.os.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
   flat_name: host.os.full
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: host.os.full.text
@@ -3478,7 +3451,7 @@ host.os.full:
   normalize: []
   original_fieldset: os
   short: Operating system name, including the version or code name.
-  type: wildcard
+  type: keyword
 host.os.kernel:
   dashed_name: host-os-kernel
   description: Operating system kernel version as a raw string.
@@ -3492,12 +3465,11 @@ host.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 host.os.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-os-name
   description: Operating system name, without the version.
   example: Mac OS X
   flat_name: host.os.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: host.os.name.text
@@ -3508,7 +3480,7 @@ host.os.name:
   normalize: []
   original_fieldset: os
   short: Operating system name, without the version.
-  type: wildcard
+  type: keyword
 host.os.platform:
   dashed_name: host-os-platform
   description: Operating system platform (such centos, ubuntu, windows).
@@ -3589,24 +3561,22 @@ host.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 host.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-user-email
   description: User email address.
   flat_name: host.user.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 host.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: host.user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: host.user.full_name.text
@@ -3617,7 +3587,7 @@ host.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 host.user.group.domain:
   dashed_name: host-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -3680,12 +3650,11 @@ host.user.id:
   short: Unique identifier of the user.
   type: keyword
 host.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: host-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: host.user.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: host.user.name.text
@@ -3696,7 +3665,7 @@ host.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 host.user.roles:
   dashed_name: host-user-roles
   description: Array of user roles at the time of the event.
@@ -3722,12 +3691,11 @@ http.request.body.bytes:
   short: Size in bytes of the request body.
   type: long
 http.request.body.content:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: http-request-body-content
   description: The full HTTP request body.
   example: Hello world
   flat_name: http.request.body.content
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: http.request.body.content.text
@@ -3737,7 +3705,7 @@ http.request.body.content:
   name: request.body.content
   normalize: []
   short: The full HTTP request body.
-  type: wildcard
+  type: keyword
 http.request.bytes:
   dashed_name: http-request-bytes
   description: Total size in bytes of the request (body and headers).
@@ -3798,17 +3766,16 @@ http.request.mime_type:
   short: Mime type of the body of the request.
   type: keyword
 http.request.referrer:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: http-request-referrer
   description: Referrer for this HTTP request.
   example: https://blog.example.com/
   flat_name: http.request.referrer
+  ignore_above: 1024
   level: extended
   name: request.referrer
   normalize: []
   short: Referrer for this HTTP request.
-  type: wildcard
+  type: keyword
 http.response.body.bytes:
   dashed_name: http-response-body-bytes
   description: Size in bytes of the response body.
@@ -3821,12 +3788,11 @@ http.response.body.bytes:
   short: Size in bytes of the response body.
   type: long
 http.response.body.content:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: http-response-body-content
   description: The full HTTP response body.
   example: Hello world
   flat_name: http.response.body.content
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: http.response.body.content.text
@@ -3836,7 +3802,7 @@ http.response.body.content:
   name: response.body.content
   normalize: []
   short: The full HTTP response body.
-  type: wildcard
+  type: keyword
 http.response.bytes:
   dashed_name: http-response-bytes
   description: Total size in bytes of the response (body and headers).
@@ -3902,8 +3868,6 @@ labels:
   short: Custom key/value pairs.
   type: object
 log.file.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: log-file-path
   description: 'Full path to the log file this event came from, including the file
     name. It should include the drive letter, when appropriate.
@@ -3911,11 +3875,12 @@ log.file.path:
     If the event wasn''t read from a log file, do not populate this field.'
   example: /var/log/fun-times.log
   flat_name: log.file.path
+  ignore_above: 1024
   level: extended
   name: file.path
   normalize: []
   short: Full path to the log file this event came from.
-  type: wildcard
+  type: keyword
 log.level:
   dashed_name: log-level
   description: 'Original log level of the log event.
@@ -3934,18 +3899,17 @@ log.level:
   short: Log level of the log event.
   type: keyword
 log.logger:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: log-logger
   description: The name of the logger inside an application. This is usually the name
     of the class which initialized the logger, or can be a custom name.
   example: org.elasticsearch.bootstrap.Bootstrap
   flat_name: log.logger
+  ignore_above: 1024
   level: core
   name: logger
   normalize: []
   short: Name of the logger.
-  type: wildcard
+  type: keyword
 log.origin.file.line:
   dashed_name: log-origin-file-line
   description: The line number of the file containing the source code which originated
@@ -4466,8 +4430,6 @@ observer.geo.location:
   short: Longitude and latitude.
   type: geo_point
 observer.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: observer-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -4478,12 +4440,13 @@ observer.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: observer.geo.name
+  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: wildcard
+  type: keyword
 observer.geo.region_iso_code:
   dashed_name: observer-geo-region-iso-code
   description: Region ISO code.
@@ -4654,12 +4617,11 @@ observer.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 observer.os.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: observer-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
   flat_name: observer.os.full
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: observer.os.full.text
@@ -4670,7 +4632,7 @@ observer.os.full:
   normalize: []
   original_fieldset: os
   short: Operating system name, including the version or code name.
-  type: wildcard
+  type: keyword
 observer.os.kernel:
   dashed_name: observer-os-kernel
   description: Operating system kernel version as a raw string.
@@ -4684,12 +4646,11 @@ observer.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 observer.os.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: observer-os-name
   description: Operating system name, without the version.
   example: Mac OS X
   flat_name: observer.os.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: observer.os.name.text
@@ -4700,7 +4661,7 @@ observer.os.name:
   normalize: []
   original_fieldset: os
   short: Operating system name, without the version.
-  type: wildcard
+  type: keyword
 observer.os.platform:
   dashed_name: observer-os-platform
   description: Operating system platform (such centos, ubuntu, windows).
@@ -4811,11 +4772,10 @@ organization.id:
   short: Unique identifier for the organization.
   type: keyword
 organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: organization-name
   description: Organization name.
   flat_name: organization.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: organization.name.text
@@ -4825,7 +4785,7 @@ organization.name:
   name: name
   normalize: []
   short: Organization name.
-  type: wildcard
+  type: keyword
 package.architecture:
   dashed_name: package-architecture
   description: Package architecture.
@@ -5073,8 +5033,6 @@ process.code_signature.valid:
     content.
   type: boolean
 process.command_line:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5082,6 +5040,7 @@ process.command_line:
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
   flat_name: process.command_line
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.command_line.text
@@ -5091,7 +5050,7 @@ process.command_line:
   name: command_line
   normalize: []
   short: Full command line that started the process.
-  type: wildcard
+  type: keyword
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -5112,12 +5071,11 @@ process.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.executable:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
   flat_name: process.executable
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.executable.text
@@ -5127,7 +5085,7 @@ process.executable:
   name: executable
   normalize: []
   short: Absolute path to the process executable.
-  type: wildcard
+  type: keyword
 process.exit_code:
   dashed_name: process-exit-code
   description: 'The exit code of the process, if this is a termination event.
@@ -5197,14 +5155,13 @@ process.hash.ssdeep:
   short: SSDEEP hash.
   type: keyword
 process.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
   flat_name: process.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.name.text
@@ -5214,7 +5171,7 @@ process.name:
   name: name
   normalize: []
   short: Process name.
-  type: wildcard
+  type: keyword
 process.parent.args:
   dashed_name: process-parent-args
   description: 'Array of process arguments, starting with the absolute path to the
@@ -5315,8 +5272,6 @@ process.parent.code_signature.valid:
     content.
   type: boolean
 process.parent.command_line:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
@@ -5324,6 +5279,7 @@ process.parent.command_line:
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
   flat_name: process.parent.command_line
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.command_line.text
@@ -5334,7 +5290,7 @@ process.parent.command_line:
   normalize: []
   original_fieldset: process
   short: Full command line that started the process.
-  type: wildcard
+  type: keyword
 process.parent.entity_id:
   dashed_name: process-parent-entity-id
   description: 'Unique identifier for the process.
@@ -5356,12 +5312,11 @@ process.parent.entity_id:
   short: Unique identifier for the process.
   type: keyword
 process.parent.executable:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
   flat_name: process.parent.executable
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.executable.text
@@ -5372,7 +5327,7 @@ process.parent.executable:
   normalize: []
   original_fieldset: process
   short: Absolute path to the process executable.
-  type: wildcard
+  type: keyword
 process.parent.exit_code:
   dashed_name: process-parent-exit-code
   description: 'The exit code of the process, if this is a termination event.
@@ -5443,14 +5398,13 @@ process.parent.hash.ssdeep:
   short: SSDEEP hash.
   type: keyword
 process.parent.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
   flat_name: process.parent.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.name.text
@@ -5461,7 +5415,7 @@ process.parent.name:
   normalize: []
   original_fieldset: process
   short: Process name.
-  type: wildcard
+  type: keyword
 process.parent.pe.architecture:
   dashed_name: process-parent-pe-architecture
   description: CPU architecture target for the file.
@@ -5527,18 +5481,17 @@ process.parent.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.parent.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: process.parent.pe.original_file_name
+  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: wildcard
+  type: keyword
 process.parent.pe.product:
   dashed_name: process-parent-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5610,27 +5563,25 @@ process.parent.thread.id:
   short: Thread ID.
   type: long
 process.parent.thread.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-thread-name
   description: Thread name.
   example: thread-0
   flat_name: process.parent.thread.name
+  ignore_above: 1024
   level: extended
   name: thread.name
   normalize: []
   original_fieldset: process
   short: Thread name.
-  type: wildcard
+  type: keyword
 process.parent.title:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-title
   description: 'Process title.
 
     The proctitle, some times the same as process name. Can also be different: for
     example a browser setting its title to the web page currently opened.'
   flat_name: process.parent.title
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.title.text
@@ -5641,7 +5592,7 @@ process.parent.title:
   normalize: []
   original_fieldset: process
   short: Process title.
-  type: wildcard
+  type: keyword
 process.parent.uptime:
   dashed_name: process-parent-uptime
   description: Seconds the process has been up.
@@ -5654,12 +5605,11 @@ process.parent.uptime:
   short: Seconds the process has been up.
   type: long
 process.parent.working_directory:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-parent-working-directory
   description: The working directory of the process.
   example: /home/alice
   flat_name: process.parent.working_directory
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.working_directory.text
@@ -5670,7 +5620,7 @@ process.parent.working_directory:
   normalize: []
   original_fieldset: process
   short: The working directory of the process.
-  type: wildcard
+  type: keyword
 process.pe.architecture:
   dashed_name: process-pe-architecture
   description: CPU architecture target for the file.
@@ -5736,18 +5686,17 @@ process.pe.imphash:
   short: A hash of the imports in a PE file.
   type: keyword
 process.pe.original_file_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: process.pe.original_file_name
+  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: wildcard
+  type: keyword
 process.pe.product:
   dashed_name: process-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5814,26 +5763,24 @@ process.thread.id:
   short: Thread ID.
   type: long
 process.thread.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-thread-name
   description: Thread name.
   example: thread-0
   flat_name: process.thread.name
+  ignore_above: 1024
   level: extended
   name: thread.name
   normalize: []
   short: Thread name.
-  type: wildcard
+  type: keyword
 process.title:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-title
   description: 'Process title.
 
     The proctitle, some times the same as process name. Can also be different: for
     example a browser setting its title to the web page currently opened.'
   flat_name: process.title
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.title.text
@@ -5843,7 +5790,7 @@ process.title:
   name: title
   normalize: []
   short: Process title.
-  type: wildcard
+  type: keyword
 process.uptime:
   dashed_name: process-uptime
   description: Seconds the process has been up.
@@ -5855,12 +5802,11 @@ process.uptime:
   short: Seconds the process has been up.
   type: long
 process.working_directory:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: process-working-directory
   description: The working directory of the process.
   example: /home/alice
   flat_name: process.working_directory
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.working_directory.text
@@ -5870,7 +5816,7 @@ process.working_directory:
   name: working_directory
   normalize: []
   short: The working directory of the process.
-  type: wildcard
+  type: keyword
 registry.data.bytes:
   dashed_name: registry-data-bytes
   description: 'Original bytes written with base64 encoding.
@@ -5887,8 +5833,6 @@ registry.data.bytes:
   short: Original bytes written with base64 encoding.
   type: keyword
 registry.data.strings:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: registry-data-strings
   description: 'Content when writing string types.
 
@@ -5899,12 +5843,13 @@ registry.data.strings:
     the decimal representation (e.g `"1"`).'
   example: '["C:\rta\red_ttp\bin\myapp.exe"]'
   flat_name: registry.data.strings
+  ignore_above: 1024
   level: core
   name: data.strings
   normalize:
   - array
   short: List of strings representing what was written to the registry.
-  type: wildcard
+  type: keyword
 registry.data.type:
   dashed_name: registry-data-type
   description: Standard registry type for encoding contents
@@ -5928,30 +5873,28 @@ registry.hive:
   short: Abbreviated name for the hive.
   type: keyword
 registry.key:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: registry-key
   description: Hive-relative path of keys.
   example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
   flat_name: registry.key
+  ignore_above: 1024
   level: core
   name: key
   normalize: []
   short: Hive-relative path of keys.
-  type: wildcard
+  type: keyword
 registry.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: registry-path
   description: Full path, including hive, key and value
   example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
     Options\winword.exe\Debugger
   flat_name: registry.path
+  ignore_above: 1024
   level: core
   name: path
   normalize: []
   short: Full path, including hive, key and value
-  type: wildcard
+  type: keyword
 registry.value:
   dashed_name: registry-value
   description: Name of the value written.
@@ -6159,12 +6102,11 @@ server.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 server.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: server.as.organization.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: server.as.organization.name.text
@@ -6175,7 +6117,7 @@ server.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: wildcard
+  type: keyword
 server.bytes:
   dashed_name: server-bytes
   description: Bytes sent from the server to the client.
@@ -6188,16 +6130,15 @@ server.bytes:
   short: Bytes sent from the server to the client.
   type: long
 server.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-domain
   description: Server domain.
   flat_name: server.domain
+  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Server domain.
-  type: wildcard
+  type: keyword
 server.geo.city_name:
   dashed_name: server-geo-city-name
   description: City name.
@@ -6258,8 +6199,6 @@ server.geo.location:
   short: Longitude and latitude.
   type: geo_point
 server.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6270,12 +6209,13 @@ server.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: server.geo.name
+  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: wildcard
+  type: keyword
 server.geo.region_iso_code:
   dashed_name: server-geo-region-iso-code
   description: Region ISO code.
@@ -6365,8 +6305,6 @@ server.port:
   short: Port of the server.
   type: long
 server.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-registered-domain
   description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -6377,11 +6315,12 @@ server.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: server.registered_domain
+  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered server domain, stripped of the subdomain.
-  type: wildcard
+  type: keyword
 server.subdomain:
   dashed_name: server-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -6431,24 +6370,22 @@ server.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 server.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-user-email
   description: User email address.
   flat_name: server.user.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 server.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: server.user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: server.user.full_name.text
@@ -6459,7 +6396,7 @@ server.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 server.user.group.domain:
   dashed_name: server-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -6522,12 +6459,11 @@ server.user.id:
   short: Unique identifier of the user.
   type: keyword
 server.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: server-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: server.user.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: server.user.name.text
@@ -6538,7 +6474,7 @@ server.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -6692,12 +6628,11 @@ source.as.number:
   short: Unique number allocated to the autonomous system.
   type: long
 source.as.organization.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-as-organization-name
   description: Organization name.
   example: Google LLC
   flat_name: source.as.organization.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: source.as.organization.name.text
@@ -6708,7 +6643,7 @@ source.as.organization.name:
   normalize: []
   original_fieldset: as
   short: Organization name.
-  type: wildcard
+  type: keyword
 source.bytes:
   dashed_name: source-bytes
   description: Bytes sent from the source to the destination.
@@ -6721,16 +6656,15 @@ source.bytes:
   short: Bytes sent from the source to the destination.
   type: long
 source.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-domain
   description: Source domain.
   flat_name: source.domain
+  ignore_above: 1024
   level: core
   name: domain
   normalize: []
   short: Source domain.
-  type: wildcard
+  type: keyword
 source.geo.city_name:
   dashed_name: source-geo-city-name
   description: City name.
@@ -6791,8 +6725,6 @@ source.geo.location:
   short: Longitude and latitude.
   type: geo_point
 source.geo.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-geo-name
   description: 'User-defined description of a location, at the level of granularity
     they care about.
@@ -6803,12 +6735,13 @@ source.geo.name:
     Not typically used in automated geolocation.'
   example: boston-dc
   flat_name: source.geo.name
+  ignore_above: 1024
   level: extended
   name: name
   normalize: []
   original_fieldset: geo
   short: User-defined description of a location.
-  type: wildcard
+  type: keyword
 source.geo.region_iso_code:
   dashed_name: source-geo-region-iso-code
   description: Region ISO code.
@@ -6898,8 +6831,6 @@ source.port:
   short: Port of the source.
   type: long
 source.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-registered-domain
   description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -6910,11 +6841,12 @@ source.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: source.registered_domain
+  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered source domain, stripped of the subdomain.
-  type: wildcard
+  type: keyword
 source.subdomain:
   dashed_name: source-subdomain
   description: 'The subdomain portion of a fully qualified domain name includes all
@@ -6964,24 +6896,22 @@ source.user.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 source.user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-user-email
   description: User email address.
   flat_name: source.user.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 source.user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: source.user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: source.user.full_name.text
@@ -6992,7 +6922,7 @@ source.user.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 source.user.group.domain:
   dashed_name: source-user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -7055,12 +6985,11 @@ source.user.id:
   short: Unique identifier of the user.
   type: keyword
 source.user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: source-user-name
   description: Short name or login of the user.
   example: albert
   flat_name: source.user.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: source.user.name.text
@@ -7071,7 +7000,7 @@ source.user.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -7335,19 +7264,18 @@ tls.client.hash.sha256:
     certificate offered by the client.
   type: keyword
 tls.client.issuer:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-issuer
   description: Distinguished name of subject of the issuer of the x.509 certificate
     presented by the client.
   example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
   flat_name: tls.client.issuer
+  ignore_above: 1024
   level: extended
   name: client.issuer
   normalize: []
   short: Distinguished name of subject of the issuer of the x.509 certificate presented
     by the client.
-  type: wildcard
+  type: keyword
 tls.client.ja3:
   dashed_name: tls-client-ja3
   description: A hash that identifies clients based on how they perform an SSL/TLS
@@ -7395,18 +7323,17 @@ tls.client.server_name:
   short: Hostname the client is trying to connect to. Also called the SNI.
   type: keyword
 tls.client.subject:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-subject
   description: Distinguished name of subject of the x.509 certificate presented by
     the client.
   example: CN=myclient, OU=Documentation Team, DC=example, DC=com
   flat_name: tls.client.subject
+  ignore_above: 1024
   level: extended
   name: client.subject
   normalize: []
   short: Distinguished name of subject of the x.509 certificate presented by the client.
-  type: wildcard
+  type: keyword
 tls.client.supported_ciphers:
   dashed_name: tls-client-supported-ciphers
   description: Array of ciphers offered by the client during the client hello.
@@ -7462,19 +7389,18 @@ tls.client.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.client.x509.issuer.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
     Server CA
   flat_name: tls.client.x509.issuer.distinguished_name
+  ignore_above: 1024
   level: extended
   name: issuer.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of issuing certificate authority.
-  type: wildcard
+  type: keyword
 tls.client.x509.issuer.locality:
   dashed_name: tls-client-x509-issuer-locality
   description: List of locality names (L)
@@ -7653,18 +7579,17 @@ tls.client.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.client.x509.subject.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-client-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
   flat_name: tls.client.x509.subject.distinguished_name
+  ignore_above: 1024
   level: extended
   name: subject.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of the certificate subject entity.
-  type: wildcard
+  type: keyword
 tls.client.x509.subject.locality:
   dashed_name: tls-client-x509-subject-locality
   description: List of locality names (L)
@@ -7845,17 +7770,16 @@ tls.server.hash.sha256:
     certificate offered by the server.
   type: keyword
 tls.server.issuer:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-issuer
   description: Subject of the issuer of the x.509 certificate presented by the server.
   example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
   flat_name: tls.server.issuer
+  ignore_above: 1024
   level: extended
   name: server.issuer
   normalize: []
   short: Subject of the issuer of the x.509 certificate presented by the server.
-  type: wildcard
+  type: keyword
 tls.server.ja3s:
   dashed_name: tls-server-ja3s
   description: A hash that identifies servers based on how they perform an SSL/TLS
@@ -7890,17 +7814,16 @@ tls.server.not_before:
   short: Timestamp indicating when server certificate is first considered valid.
   type: date
 tls.server.subject:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-subject
   description: Subject of the x.509 certificate presented by the server.
   example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
   flat_name: tls.server.subject
+  ignore_above: 1024
   level: extended
   name: server.subject
   normalize: []
   short: Subject of the x.509 certificate presented by the server.
-  type: wildcard
+  type: keyword
 tls.server.x509.alternative_names:
   dashed_name: tls-server-x509-alternative-names
   description: List of subject alternative names (SAN). Name types vary by certificate
@@ -7943,19 +7866,18 @@ tls.server.x509.issuer.country:
   short: List of country (C) codes
   type: keyword
 tls.server.x509.issuer.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-x509-issuer-distinguished-name
   description: Distinguished name (DN) of issuing certificate authority.
   example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
     Server CA
   flat_name: tls.server.x509.issuer.distinguished_name
+  ignore_above: 1024
   level: extended
   name: issuer.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of issuing certificate authority.
-  type: wildcard
+  type: keyword
 tls.server.x509.issuer.locality:
   dashed_name: tls-server-x509-issuer-locality
   description: List of locality names (L)
@@ -8134,18 +8056,17 @@ tls.server.x509.subject.country:
   short: List of country (C) code
   type: keyword
 tls.server.x509.subject.distinguished_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: tls-server-x509-subject-distinguished-name
   description: Distinguished name (DN) of the certificate subject entity.
   example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
   flat_name: tls.server.x509.subject.distinguished_name
+  ignore_above: 1024
   level: extended
   name: subject.distinguished_name
   normalize: []
   original_fieldset: x509
   short: Distinguished name (DN) of the certificate subject entity.
-  type: wildcard
+  type: keyword
 tls.server.x509.subject.locality:
   dashed_name: tls-server-x509-subject-locality
   description: List of locality names (L)
@@ -8260,8 +8181,6 @@ transaction.id:
   short: Unique identifier of the transaction within the scope of its trace.
   type: keyword
 url.domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-domain
   description: 'Domain of the url, such as "www.elastic.co".
 
@@ -8272,11 +8191,12 @@ url.domain:
     the `[` and `]` characters should also be captured in the `domain` field.'
   example: www.elastic.co
   flat_name: url.domain
+  ignore_above: 1024
   level: extended
   name: domain
   normalize: []
   short: Domain of the url.
-  type: wildcard
+  type: keyword
 url.extension:
   dashed_name: url-extension
   description: 'The field contains the file extension from the original request url,
@@ -8310,13 +8230,12 @@ url.fragment:
   short: Portion of the url after the `#`.
   type: keyword
 url.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-full
   description: If full URLs are important to your use case, they should be stored
     in `url.full`, whether this field is reconstructed or present in the event source.
   example: https://www.elastic.co:443/search?q=elasticsearch#top
   flat_name: url.full
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: url.full.text
@@ -8326,10 +8245,8 @@ url.full:
   name: full
   normalize: []
   short: Full unparsed URL.
-  type: wildcard
+  type: keyword
 url.original:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-original
   description: 'Unmodified original url as seen in the event source.
 
@@ -8339,6 +8256,7 @@ url.original:
     This field is meant to represent the URL as it was observed, complete or not.'
   example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
   flat_name: url.original
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: url.original.text
@@ -8348,7 +8266,7 @@ url.original:
   name: original
   normalize: []
   short: Unmodified original url as seen in the event source.
-  type: wildcard
+  type: keyword
 url.password:
   dashed_name: url-password
   description: Password of the request.
@@ -8360,16 +8278,15 @@ url.password:
   short: Password of the request.
   type: keyword
 url.path:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-path
   description: Path of the request, such as "/search".
   flat_name: url.path
+  ignore_above: 1024
   level: extended
   name: path
   normalize: []
   short: Path of the request, such as "/search".
-  type: wildcard
+  type: keyword
 url.port:
   dashed_name: url-port
   description: Port of the request, such as 443.
@@ -8398,8 +8315,6 @@ url.query:
   short: Query string of the request.
   type: keyword
 url.registered_domain:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: url-registered-domain
   description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -8410,11 +8325,12 @@ url.registered_domain:
     two labels will not work well for TLDs such as "co.uk".'
   example: example.com
   flat_name: url.registered_domain
+  ignore_above: 1024
   level: extended
   name: registered_domain
   normalize: []
   short: The highest registered url domain, stripped of the subdomain.
-  type: wildcard
+  type: keyword
 url.scheme:
   dashed_name: url-scheme
   description: 'Scheme of the request, such as "https".
@@ -8487,24 +8403,22 @@ user.changes.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.changes.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-changes-email
   description: User email address.
   flat_name: user.changes.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 user.changes.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-changes-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.changes.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.changes.full_name.text
@@ -8515,7 +8429,7 @@ user.changes.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 user.changes.group.domain:
   dashed_name: user-changes-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8578,12 +8492,11 @@ user.changes.id:
   short: Unique identifier of the user.
   type: keyword
 user.changes.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-changes-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.changes.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.changes.name.text
@@ -8594,7 +8507,7 @@ user.changes.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -8634,24 +8547,22 @@ user.effective.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.effective.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-effective-email
   description: User email address.
   flat_name: user.effective.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 user.effective.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-effective-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.effective.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.effective.full_name.text
@@ -8662,7 +8573,7 @@ user.effective.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 user.effective.group.domain:
   dashed_name: user-effective-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8725,12 +8636,11 @@ user.effective.id:
   short: Unique identifier of the user.
   type: keyword
 user.effective.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-effective-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.effective.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.effective.name.text
@@ -8741,7 +8651,7 @@ user.effective.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -8756,23 +8666,21 @@ user.effective.roles:
   short: Array of user roles at the time of the event.
   type: keyword
 user.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-email
   description: User email address.
   flat_name: user.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   short: User email address.
-  type: wildcard
+  type: keyword
 user.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.full_name.text
@@ -8782,7 +8690,7 @@ user.full_name:
   name: full_name
   normalize: []
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 user.group.domain:
   dashed_name: user-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8843,12 +8751,11 @@ user.id:
   short: Unique identifier of the user.
   type: keyword
 user.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.name.text
@@ -8858,7 +8765,7 @@ user.name:
   name: name
   normalize: []
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 user.roles:
   dashed_name: user-roles
   description: Array of user roles at the time of the event.
@@ -8885,24 +8792,22 @@ user.target.domain:
   short: Name of the directory the user is a member of.
   type: keyword
 user.target.email:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-target-email
   description: User email address.
   flat_name: user.target.email
+  ignore_above: 1024
   level: extended
   name: email
   normalize: []
   original_fieldset: user
   short: User email address.
-  type: wildcard
+  type: keyword
 user.target.full_name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-target-full-name
   description: User's full name, if available.
   example: Albert Einstein
   flat_name: user.target.full_name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user.target.full_name.text
@@ -8913,7 +8818,7 @@ user.target.full_name:
   normalize: []
   original_fieldset: user
   short: User's full name, if available.
-  type: wildcard
+  type: keyword
 user.target.group.domain:
   dashed_name: user-target-group-domain
   description: 'Name of the directory the group is a member of.
@@ -8976,12 +8881,11 @@ user.target.id:
   short: Unique identifier of the user.
   type: keyword
 user.target.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-target-name
   description: Short name or login of the user.
   example: albert
   flat_name: user.target.name
+  ignore_above: 1024
   level: core
   multi_fields:
   - flat_name: user.target.name.text
@@ -8992,7 +8896,7 @@ user.target.name:
   normalize: []
   original_fieldset: user
   short: Short name or login of the user.
-  type: wildcard
+  type: keyword
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
@@ -9029,13 +8933,12 @@ user_agent.name:
   short: Name of the user agent.
   type: keyword
 user_agent.original:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-agent-original
   description: Unparsed user_agent string.
   example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
     (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
   flat_name: user_agent.original
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user_agent.original.text
@@ -9045,7 +8948,7 @@ user_agent.original:
   name: original
   normalize: []
   short: Unparsed user_agent string.
-  type: wildcard
+  type: keyword
 user_agent.os.family:
   dashed_name: user-agent-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
@@ -9059,12 +8962,11 @@ user_agent.os.family:
   short: OS family (such as redhat, debian, freebsd, windows).
   type: keyword
 user_agent.os.full:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-agent-os-full
   description: Operating system name, including the version or code name.
   example: Mac OS Mojave
   flat_name: user_agent.os.full
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user_agent.os.full.text
@@ -9075,7 +8977,7 @@ user_agent.os.full:
   normalize: []
   original_fieldset: os
   short: Operating system name, including the version or code name.
-  type: wildcard
+  type: keyword
 user_agent.os.kernel:
   dashed_name: user-agent-os-kernel
   description: Operating system kernel version as a raw string.
@@ -9089,12 +8991,11 @@ user_agent.os.kernel:
   short: Operating system kernel version as a raw string.
   type: keyword
 user_agent.os.name:
-  beta: Note the usage of `wildcard` type is considered beta. This field used to be
-    type `keyword`.
   dashed_name: user-agent-os-name
   description: Operating system name, without the version.
   example: Mac OS X
   flat_name: user_agent.os.name
+  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: user_agent.os.name.text
@@ -9105,7 +9006,7 @@ user_agent.os.name:
   normalize: []
   original_fieldset: os
   short: Operating system name, without the version.
-  type: wildcard
+  type: keyword
 user_agent.os.platform:
   dashed_name: user-agent-os-platform
   description: Operating system platform (such centos, ubuntu, windows).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8c15d879d4..a3934fd463 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -8,8 +8,6 @@ agent:
     event happened or the measurement was taken.'
   fields:
     agent.build.original:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: agent-build-original
       description: 'Extended build information for the agent.
 
@@ -18,11 +16,12 @@ agent:
       example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
         built 2020-02-05 23:10:10 +0000 UTC]
       flat_name: agent.build.original
+      ignore_above: 1024
       level: core
       name: build.original
       normalize: []
       short: Extended build information for the agent.
-      type: wildcard
+      type: keyword
     agent.ephemeral_id:
       dashed_name: agent-ephemeral-id
       description: 'Ephemeral identifier of this agent (if one exists).
@@ -120,12 +119,11 @@ as:
       short: Unique number allocated to the autonomous system.
       type: long
     as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: as.organization.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: as.organization.name.text
@@ -135,7 +133,7 @@ as:
       name: organization.name
       normalize: []
       short: Organization name.
-      type: wildcard
+      type: keyword
   group: 2
   name: as
   prefix: as.
@@ -277,12 +275,11 @@ client:
       short: Unique number allocated to the autonomous system.
       type: long
     client.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: client.as.organization.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: client.as.organization.name.text
@@ -293,7 +290,7 @@ client:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: wildcard
+      type: keyword
     client.bytes:
       dashed_name: client-bytes
       description: Bytes sent from the client to the server.
@@ -306,16 +303,15 @@ client:
       short: Bytes sent from the client to the server.
       type: long
     client.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-domain
       description: Client domain.
       flat_name: client.domain
+      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Client domain.
-      type: wildcard
+      type: keyword
     client.geo.city_name:
       dashed_name: client-geo-city-name
       description: City name.
@@ -376,8 +372,6 @@ client:
       short: Longitude and latitude.
       type: geo_point
     client.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -388,12 +382,13 @@ client:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: client.geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     client.geo.region_iso_code:
       dashed_name: client-geo-region-iso-code
       description: Region ISO code.
@@ -483,8 +478,6 @@ client:
       short: Port of the client.
       type: long
     client.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-registered-domain
       description: 'The highest registered client domain, stripped of the subdomain.
 
@@ -495,11 +488,12 @@ client:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: client.registered_domain
+      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered client domain, stripped of the subdomain.
-      type: wildcard
+      type: keyword
     client.subdomain:
       dashed_name: client-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -549,24 +543,22 @@ client:
       short: Name of the directory the user is a member of.
       type: keyword
     client.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-user-email
       description: User email address.
       flat_name: client.user.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     client.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: client.user.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: client.user.full_name.text
@@ -577,7 +569,7 @@ client:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     client.user.group.domain:
       dashed_name: client-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -640,12 +632,11 @@ client:
       short: Unique identifier of the user.
       type: keyword
     client.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: client-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: client.user.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: client.user.name.text
@@ -656,7 +647,7 @@ client:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -1037,12 +1028,11 @@ destination:
       short: Unique number allocated to the autonomous system.
       type: long
     destination.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: destination.as.organization.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: destination.as.organization.name.text
@@ -1053,7 +1043,7 @@ destination:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: wildcard
+      type: keyword
     destination.bytes:
       dashed_name: destination-bytes
       description: Bytes sent from the destination to the source.
@@ -1066,16 +1056,15 @@ destination:
       short: Bytes sent from the destination to the source.
       type: long
     destination.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-domain
       description: Destination domain.
       flat_name: destination.domain
+      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Destination domain.
-      type: wildcard
+      type: keyword
     destination.geo.city_name:
       dashed_name: destination-geo-city-name
       description: City name.
@@ -1136,8 +1125,6 @@ destination:
       short: Longitude and latitude.
       type: geo_point
     destination.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -1148,12 +1135,13 @@ destination:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: destination.geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     destination.geo.region_iso_code:
       dashed_name: destination-geo-region-iso-code
       description: Region ISO code.
@@ -1242,8 +1230,6 @@ destination:
       short: Port of the destination.
       type: long
     destination.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-registered-domain
       description: 'The highest registered destination domain, stripped of the subdomain.
 
@@ -1254,11 +1240,12 @@ destination:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: destination.registered_domain
+      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered destination domain, stripped of the subdomain.
-      type: wildcard
+      type: keyword
     destination.subdomain:
       dashed_name: destination-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -1308,24 +1295,22 @@ destination:
       short: Name of the directory the user is a member of.
       type: keyword
     destination.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-user-email
       description: User email address.
       flat_name: destination.user.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     destination.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: destination.user.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: destination.user.full_name.text
@@ -1336,7 +1321,7 @@ destination:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     destination.user.group.domain:
       dashed_name: destination-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -1399,12 +1384,11 @@ destination:
       short: Unique identifier of the user.
       type: keyword
     destination.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: destination-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: destination.user.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: destination.user.name.text
@@ -1415,7 +1399,7 @@ destination:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -1675,18 +1659,17 @@ dll:
       short: A hash of the imports in a PE file.
       type: keyword
     dll.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: dll.pe.original_file_name
+      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: wildcard
+      type: keyword
     dll.pe.product:
       dashed_name: dll-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -1758,19 +1741,18 @@ dns:
       short: The class of DNS data contained in this resource record.
       type: keyword
     dns.answers.data:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: dns-answers-data
       description: 'The data describing the resource.
 
         The meaning of this data depends on the type and class of the resource record.'
       example: 10.10.10.10
       flat_name: dns.answers.data
+      ignore_above: 1024
       level: extended
       name: answers.data
       normalize: []
       short: The data describing the resource.
-      type: wildcard
+      type: keyword
     dns.answers.name:
       dashed_name: dns-answers-name
       description: 'The domain name to which this resource record pertains.
@@ -1862,8 +1844,6 @@ dns:
       short: The class of records being queried.
       type: keyword
     dns.question.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: dns-question-name
       description: 'The name being queried.
 
@@ -1873,11 +1853,12 @@ dns:
         feeds should be converted to \t, \r, and \n respectively.'
       example: www.example.com
       flat_name: dns.question.name
+      ignore_above: 1024
       level: extended
       name: question.name
       normalize: []
       short: The name being queried.
-      type: wildcard
+      type: keyword
     dns.question.registered_domain:
       dashed_name: dns-question-registered-domain
       description: 'The highest registered domain, stripped of the subdomain.
@@ -2051,11 +2032,12 @@ error:
       short: Error message.
       type: text
     error.stack_trace:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: error-stack-trace
       description: The stack trace of this error in plain text.
+      doc_values: false
       flat_name: error.stack_trace
+      ignore_above: 1024
+      index: false
       level: extended
       multi_fields:
       - flat_name: error.stack_trace.text
@@ -2065,19 +2047,18 @@ error:
       name: stack_trace
       normalize: []
       short: The stack trace of this error in plain text.
-      type: wildcard
+      type: keyword
     error.type:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: error-type
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
       flat_name: error.type
+      ignore_above: 1024
       level: extended
       name: type
       normalize: []
       short: The type of the error, for example the class name of the exception.
-      type: wildcard
+      type: keyword
   group: 2
   name: error
   prefix: error.
@@ -3006,18 +2987,17 @@ file:
       short: Device that is the source of the file.
       type: keyword
     file.directory:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-directory
       description: Directory where the file is located. It should include the drive
         letter, when appropriate.
       example: /home/alice
       flat_name: file.directory
+      ignore_above: 1024
       level: extended
       name: directory
       normalize: []
       short: Directory where the file is located.
-      type: wildcard
+      type: keyword
     file.drive_letter:
       dashed_name: file-drive-letter
       description: 'Drive letter where the file is located. This field is only relevant
@@ -3190,13 +3170,12 @@ file:
       short: File owner's username.
       type: keyword
     file.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-path
       description: Full path to the file, including the file name. It should include
         the drive letter, when appropriate.
       example: /home/alice/example.png
       flat_name: file.path
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: file.path.text
@@ -3206,7 +3185,7 @@ file:
       name: path
       normalize: []
       short: Full path to the file, including the file name.
-      type: wildcard
+      type: keyword
     file.pe.architecture:
       dashed_name: file-pe-architecture
       description: CPU architecture target for the file.
@@ -3272,18 +3251,17 @@ file:
       short: A hash of the imports in a PE file.
       type: keyword
     file.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: file.pe.original_file_name
+      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: wildcard
+      type: keyword
     file.pe.product:
       dashed_name: file-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -3309,11 +3287,10 @@ file:
       short: File size in bytes.
       type: long
     file.target_path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-target-path
       description: Target path for symlinks.
       flat_name: file.target_path
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: file.target_path.text
@@ -3323,7 +3300,7 @@ file:
       name: target_path
       normalize: []
       short: Target path for symlinks.
-      type: wildcard
+      type: keyword
     file.type:
       dashed_name: file-type
       description: File type (file, dir, or symlink).
@@ -3388,19 +3365,18 @@ file:
       short: List of country (C) codes
       type: keyword
     file.x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: file.x509.issuer.distinguished_name
+      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of issuing certificate authority.
-      type: wildcard
+      type: keyword
     file.x509.issuer.locality:
       dashed_name: file-x509-issuer-locality
       description: List of locality names (L)
@@ -3579,18 +3555,17 @@ file:
       short: List of country (C) code
       type: keyword
     file.x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: file-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: file.x509.subject.distinguished_name
+      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of the certificate subject entity.
-      type: wildcard
+      type: keyword
     file.x509.subject.locality:
       dashed_name: file-x509-subject-locality
       description: List of locality names (L)
@@ -3740,8 +3715,6 @@ geo:
       short: Longitude and latitude.
       type: geo_point
     geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -3752,11 +3725,12 @@ geo:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     geo.region_iso_code:
       dashed_name: geo-region-iso-code
       description: Region ISO code.
@@ -4027,8 +4001,6 @@ host:
       short: Longitude and latitude.
       type: geo_point
     host.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -4039,12 +4011,13 @@ host:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: host.geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     host.geo.region_iso_code:
       dashed_name: host-geo-region-iso-code
       description: Region ISO code.
@@ -4070,18 +4043,17 @@ host:
       short: Region name.
       type: keyword
     host.hostname:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-hostname
       description: 'Hostname of the host.
 
         It normally contains what the `hostname` command returns on the host machine.'
       flat_name: host.hostname
+      ignore_above: 1024
       level: core
       name: hostname
       normalize: []
       short: Hostname of the host.
-      type: wildcard
+      type: keyword
     host.id:
       dashed_name: host-id
       description: 'Unique host id.
@@ -4144,12 +4116,11 @@ host:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     host.os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: host.os.full
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: host.os.full.text
@@ -4160,7 +4131,7 @@ host:
       normalize: []
       original_fieldset: os
       short: Operating system name, including the version or code name.
-      type: wildcard
+      type: keyword
     host.os.kernel:
       dashed_name: host-os-kernel
       description: Operating system kernel version as a raw string.
@@ -4174,12 +4145,11 @@ host:
       short: Operating system kernel version as a raw string.
       type: keyword
     host.os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: host.os.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: host.os.name.text
@@ -4190,7 +4160,7 @@ host:
       normalize: []
       original_fieldset: os
       short: Operating system name, without the version.
-      type: wildcard
+      type: keyword
     host.os.platform:
       dashed_name: host-os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -4273,24 +4243,22 @@ host:
       short: Name of the directory the user is a member of.
       type: keyword
     host.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-user-email
       description: User email address.
       flat_name: host.user.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     host.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: host.user.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: host.user.full_name.text
@@ -4301,7 +4269,7 @@ host:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     host.user.group.domain:
       dashed_name: host-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -4364,12 +4332,11 @@ host:
       short: Unique identifier of the user.
       type: keyword
     host.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: host-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: host.user.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: host.user.name.text
@@ -4380,7 +4347,7 @@ host:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     host.user.roles:
       dashed_name: host-user-roles
       description: Array of user roles at the time of the event.
@@ -4430,12 +4397,11 @@ http:
       short: Size in bytes of the request body.
       type: long
     http.request.body.content:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: http-request-body-content
       description: The full HTTP request body.
       example: Hello world
       flat_name: http.request.body.content
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: http.request.body.content.text
@@ -4445,7 +4411,7 @@ http:
       name: request.body.content
       normalize: []
       short: The full HTTP request body.
-      type: wildcard
+      type: keyword
     http.request.bytes:
       dashed_name: http-request-bytes
       description: Total size in bytes of the request (body and headers).
@@ -4508,17 +4474,16 @@ http:
       short: Mime type of the body of the request.
       type: keyword
     http.request.referrer:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: http-request-referrer
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
       flat_name: http.request.referrer
+      ignore_above: 1024
       level: extended
       name: request.referrer
       normalize: []
       short: Referrer for this HTTP request.
-      type: wildcard
+      type: keyword
     http.response.body.bytes:
       dashed_name: http-response-body-bytes
       description: Size in bytes of the response body.
@@ -4531,12 +4496,11 @@ http:
       short: Size in bytes of the response body.
       type: long
     http.response.body.content:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: http-response-body-content
       description: The full HTTP response body.
       example: Hello world
       flat_name: http.response.body.content
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: http.response.body.content.text
@@ -4546,7 +4510,7 @@ http:
       name: response.body.content
       normalize: []
       short: The full HTTP response body.
-      type: wildcard
+      type: keyword
     http.response.bytes:
       dashed_name: http-response-bytes
       description: Total size in bytes of the response (body and headers).
@@ -4670,8 +4634,6 @@ log:
     but rather in `event.*` or in other ECS fields.'
   fields:
     log.file.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: log-file-path
       description: 'Full path to the log file this event came from, including the
         file name. It should include the drive letter, when appropriate.
@@ -4679,11 +4641,12 @@ log:
         If the event wasn''t read from a log file, do not populate this field.'
       example: /var/log/fun-times.log
       flat_name: log.file.path
+      ignore_above: 1024
       level: extended
       name: file.path
       normalize: []
       short: Full path to the log file this event came from.
-      type: wildcard
+      type: keyword
     log.level:
       dashed_name: log-level
       description: 'Original log level of the log event.
@@ -4702,18 +4665,17 @@ log:
       short: Log level of the log event.
       type: keyword
     log.logger:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: log-logger
       description: The name of the logger inside an application. This is usually the
         name of the class which initialized the logger, or can be a custom name.
       example: org.elasticsearch.bootstrap.Bootstrap
       flat_name: log.logger
+      ignore_above: 1024
       level: core
       name: logger
       normalize: []
       short: Name of the logger.
-      type: wildcard
+      type: keyword
     log.origin.file.line:
       dashed_name: log-origin-file-line
       description: The line number of the file containing the source code which originated
@@ -5265,8 +5227,6 @@ observer:
       short: Longitude and latitude.
       type: geo_point
     observer.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: observer-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -5277,12 +5237,13 @@ observer:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: observer.geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     observer.geo.region_iso_code:
       dashed_name: observer-geo-region-iso-code
       description: Region ISO code.
@@ -5454,12 +5415,11 @@ observer:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     observer.os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: observer-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: observer.os.full
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: observer.os.full.text
@@ -5470,7 +5430,7 @@ observer:
       normalize: []
       original_fieldset: os
       short: Operating system name, including the version or code name.
-      type: wildcard
+      type: keyword
     observer.os.kernel:
       dashed_name: observer-os-kernel
       description: Operating system kernel version as a raw string.
@@ -5484,12 +5444,11 @@ observer:
       short: Operating system kernel version as a raw string.
       type: keyword
     observer.os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: observer-os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: observer.os.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: observer.os.name.text
@@ -5500,7 +5459,7 @@ observer:
       normalize: []
       original_fieldset: os
       short: Operating system name, without the version.
-      type: wildcard
+      type: keyword
     observer.os.platform:
       dashed_name: observer-os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -5651,11 +5610,10 @@ organization:
       short: Unique identifier for the organization.
       type: keyword
     organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: organization-name
       description: Organization name.
       flat_name: organization.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: organization.name.text
@@ -5665,7 +5623,7 @@ organization:
       name: name
       normalize: []
       short: Organization name.
-      type: wildcard
+      type: keyword
   group: 2
   name: organization
   prefix: organization.
@@ -5687,12 +5645,11 @@ os:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: os.full
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: os.full.text
@@ -5702,7 +5659,7 @@ os:
       name: full
       normalize: []
       short: Operating system name, including the version or code name.
-      type: wildcard
+      type: keyword
     os.kernel:
       dashed_name: os-kernel
       description: Operating system kernel version as a raw string.
@@ -5715,12 +5672,11 @@ os:
       short: Operating system kernel version as a raw string.
       type: keyword
     os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: os.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: os.name.text
@@ -5730,7 +5686,7 @@ os:
       name: name
       normalize: []
       short: Operating system name, without the version.
-      type: wildcard
+      type: keyword
     os.platform:
       dashed_name: os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -6016,17 +5972,16 @@ pe:
       short: A hash of the imports in a PE file.
       type: keyword
     pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: pe.original_file_name
+      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       short: Internal name of the file, provided at compile-time.
-      type: wildcard
+      type: keyword
     pe.product:
       dashed_name: pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6161,8 +6116,6 @@ process:
         content.
       type: boolean
     process.command_line:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6170,6 +6123,7 @@ process:
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       flat_name: process.command_line
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.command_line.text
@@ -6179,7 +6133,7 @@ process:
       name: command_line
       normalize: []
       short: Full command line that started the process.
-      type: wildcard
+      type: keyword
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -6200,12 +6154,11 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.executable:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       flat_name: process.executable
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.executable.text
@@ -6215,7 +6168,7 @@ process:
       name: executable
       normalize: []
       short: Absolute path to the process executable.
-      type: wildcard
+      type: keyword
     process.exit_code:
       dashed_name: process-exit-code
       description: 'The exit code of the process, if this is a termination event.
@@ -6285,14 +6238,13 @@ process:
       short: SSDEEP hash.
       type: keyword
     process.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
       flat_name: process.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.name.text
@@ -6302,7 +6254,7 @@ process:
       name: name
       normalize: []
       short: Process name.
-      type: wildcard
+      type: keyword
     process.parent.args:
       dashed_name: process-parent-args
       description: 'Array of process arguments, starting with the absolute path to
@@ -6403,8 +6355,6 @@ process:
         content.
       type: boolean
     process.parent.command_line:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
@@ -6412,6 +6362,7 @@ process:
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       flat_name: process.parent.command_line
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.command_line.text
@@ -6422,7 +6373,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Full command line that started the process.
-      type: wildcard
+      type: keyword
     process.parent.entity_id:
       dashed_name: process-parent-entity-id
       description: 'Unique identifier for the process.
@@ -6444,12 +6395,11 @@ process:
       short: Unique identifier for the process.
       type: keyword
     process.parent.executable:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       flat_name: process.parent.executable
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.executable.text
@@ -6460,7 +6410,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Absolute path to the process executable.
-      type: wildcard
+      type: keyword
     process.parent.exit_code:
       dashed_name: process-parent-exit-code
       description: 'The exit code of the process, if this is a termination event.
@@ -6531,14 +6481,13 @@ process:
       short: SSDEEP hash.
       type: keyword
     process.parent.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
       flat_name: process.parent.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.name.text
@@ -6549,7 +6498,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Process name.
-      type: wildcard
+      type: keyword
     process.parent.pe.architecture:
       dashed_name: process-parent-pe-architecture
       description: CPU architecture target for the file.
@@ -6615,18 +6564,17 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.parent.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: process.parent.pe.original_file_name
+      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: wildcard
+      type: keyword
     process.parent.pe.product:
       dashed_name: process-parent-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6698,27 +6646,25 @@ process:
       short: Thread ID.
       type: long
     process.parent.thread.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-thread-name
       description: Thread name.
       example: thread-0
       flat_name: process.parent.thread.name
+      ignore_above: 1024
       level: extended
       name: thread.name
       normalize: []
       original_fieldset: process
       short: Thread name.
-      type: wildcard
+      type: keyword
     process.parent.title:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-title
       description: 'Process title.
 
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
       flat_name: process.parent.title
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.title.text
@@ -6729,7 +6675,7 @@ process:
       normalize: []
       original_fieldset: process
       short: Process title.
-      type: wildcard
+      type: keyword
     process.parent.uptime:
       dashed_name: process-parent-uptime
       description: Seconds the process has been up.
@@ -6742,12 +6688,11 @@ process:
       short: Seconds the process has been up.
       type: long
     process.parent.working_directory:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-parent-working-directory
       description: The working directory of the process.
       example: /home/alice
       flat_name: process.parent.working_directory
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.parent.working_directory.text
@@ -6758,7 +6703,7 @@ process:
       normalize: []
       original_fieldset: process
       short: The working directory of the process.
-      type: wildcard
+      type: keyword
     process.pe.architecture:
       dashed_name: process-pe-architecture
       description: CPU architecture target for the file.
@@ -6824,18 +6769,17 @@ process:
       short: A hash of the imports in a PE file.
       type: keyword
     process.pe.original_file_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       flat_name: process.pe.original_file_name
+      ignore_above: 1024
       level: extended
       name: original_file_name
       normalize: []
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
-      type: wildcard
+      type: keyword
     process.pe.product:
       dashed_name: process-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6902,26 +6846,24 @@ process:
       short: Thread ID.
       type: long
     process.thread.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-thread-name
       description: Thread name.
       example: thread-0
       flat_name: process.thread.name
+      ignore_above: 1024
       level: extended
       name: thread.name
       normalize: []
       short: Thread name.
-      type: wildcard
+      type: keyword
     process.title:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-title
       description: 'Process title.
 
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
       flat_name: process.title
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.title.text
@@ -6931,7 +6873,7 @@ process:
       name: title
       normalize: []
       short: Process title.
-      type: wildcard
+      type: keyword
     process.uptime:
       dashed_name: process-uptime
       description: Seconds the process has been up.
@@ -6943,12 +6885,11 @@ process:
       short: Seconds the process has been up.
       type: long
     process.working_directory:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: process-working-directory
       description: The working directory of the process.
       example: /home/alice
       flat_name: process.working_directory
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: process.working_directory.text
@@ -6958,7 +6899,7 @@ process:
       name: working_directory
       normalize: []
       short: The working directory of the process.
-      type: wildcard
+      type: keyword
   group: 2
   name: process
   nestings:
@@ -7008,8 +6949,6 @@ registry:
       short: Original bytes written with base64 encoding.
       type: keyword
     registry.data.strings:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: registry-data-strings
       description: 'Content when writing string types.
 
@@ -7020,12 +6959,13 @@ registry:
         be populated with the decimal representation (e.g `"1"`).'
       example: '["C:\rta\red_ttp\bin\myapp.exe"]'
       flat_name: registry.data.strings
+      ignore_above: 1024
       level: core
       name: data.strings
       normalize:
       - array
       short: List of strings representing what was written to the registry.
-      type: wildcard
+      type: keyword
     registry.data.type:
       dashed_name: registry-data-type
       description: Standard registry type for encoding contents
@@ -7049,30 +6989,28 @@ registry:
       short: Abbreviated name for the hive.
       type: keyword
     registry.key:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: registry-key
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       flat_name: registry.key
+      ignore_above: 1024
       level: core
       name: key
       normalize: []
       short: Hive-relative path of keys.
-      type: wildcard
+      type: keyword
     registry.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: registry-path
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
         Options\winword.exe\Debugger
       flat_name: registry.path
+      ignore_above: 1024
       level: core
       name: path
       normalize: []
       short: Full path, including hive, key and value
-      type: wildcard
+      type: keyword
     registry.value:
       dashed_name: registry-value
       description: Name of the value written.
@@ -7337,12 +7275,11 @@ server:
       short: Unique number allocated to the autonomous system.
       type: long
     server.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: server.as.organization.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: server.as.organization.name.text
@@ -7353,7 +7290,7 @@ server:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: wildcard
+      type: keyword
     server.bytes:
       dashed_name: server-bytes
       description: Bytes sent from the server to the client.
@@ -7366,16 +7303,15 @@ server:
       short: Bytes sent from the server to the client.
       type: long
     server.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-domain
       description: Server domain.
       flat_name: server.domain
+      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Server domain.
-      type: wildcard
+      type: keyword
     server.geo.city_name:
       dashed_name: server-geo-city-name
       description: City name.
@@ -7436,8 +7372,6 @@ server:
       short: Longitude and latitude.
       type: geo_point
     server.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -7448,12 +7382,13 @@ server:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: server.geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     server.geo.region_iso_code:
       dashed_name: server-geo-region-iso-code
       description: Region ISO code.
@@ -7543,8 +7478,6 @@ server:
       short: Port of the server.
       type: long
     server.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-registered-domain
       description: 'The highest registered server domain, stripped of the subdomain.
 
@@ -7555,11 +7488,12 @@ server:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: server.registered_domain
+      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered server domain, stripped of the subdomain.
-      type: wildcard
+      type: keyword
     server.subdomain:
       dashed_name: server-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -7609,24 +7543,22 @@ server:
       short: Name of the directory the user is a member of.
       type: keyword
     server.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-user-email
       description: User email address.
       flat_name: server.user.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     server.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: server.user.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: server.user.full_name.text
@@ -7637,7 +7569,7 @@ server:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     server.user.group.domain:
       dashed_name: server-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -7700,12 +7632,11 @@ server:
       short: Unique identifier of the user.
       type: keyword
     server.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: server-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: server.user.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: server.user.name.text
@@ -7716,7 +7647,7 @@ server:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -7914,12 +7845,11 @@ source:
       short: Unique number allocated to the autonomous system.
       type: long
     source.as.organization.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-as-organization-name
       description: Organization name.
       example: Google LLC
       flat_name: source.as.organization.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: source.as.organization.name.text
@@ -7930,7 +7860,7 @@ source:
       normalize: []
       original_fieldset: as
       short: Organization name.
-      type: wildcard
+      type: keyword
     source.bytes:
       dashed_name: source-bytes
       description: Bytes sent from the source to the destination.
@@ -7943,16 +7873,15 @@ source:
       short: Bytes sent from the source to the destination.
       type: long
     source.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-domain
       description: Source domain.
       flat_name: source.domain
+      ignore_above: 1024
       level: core
       name: domain
       normalize: []
       short: Source domain.
-      type: wildcard
+      type: keyword
     source.geo.city_name:
       dashed_name: source-geo-city-name
       description: City name.
@@ -8013,8 +7942,6 @@ source:
       short: Longitude and latitude.
       type: geo_point
     source.geo.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-geo-name
       description: 'User-defined description of a location, at the level of granularity
         they care about.
@@ -8025,12 +7952,13 @@ source:
         Not typically used in automated geolocation.'
       example: boston-dc
       flat_name: source.geo.name
+      ignore_above: 1024
       level: extended
       name: name
       normalize: []
       original_fieldset: geo
       short: User-defined description of a location.
-      type: wildcard
+      type: keyword
     source.geo.region_iso_code:
       dashed_name: source-geo-region-iso-code
       description: Region ISO code.
@@ -8120,8 +8048,6 @@ source:
       short: Port of the source.
       type: long
     source.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-registered-domain
       description: 'The highest registered source domain, stripped of the subdomain.
 
@@ -8132,11 +8058,12 @@ source:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: source.registered_domain
+      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered source domain, stripped of the subdomain.
-      type: wildcard
+      type: keyword
     source.subdomain:
       dashed_name: source-subdomain
       description: 'The subdomain portion of a fully qualified domain name includes
@@ -8186,24 +8113,22 @@ source:
       short: Name of the directory the user is a member of.
       type: keyword
     source.user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-user-email
       description: User email address.
       flat_name: source.user.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     source.user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: source.user.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: source.user.full_name.text
@@ -8214,7 +8139,7 @@ source:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     source.user.group.domain:
       dashed_name: source-user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -8277,12 +8202,11 @@ source:
       short: Unique identifier of the user.
       type: keyword
     source.user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: source-user-name
       description: Short name or login of the user.
       example: albert
       flat_name: source.user.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: source.user.name.text
@@ -8293,7 +8217,7 @@ source:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -8571,19 +8495,18 @@ tls:
         of certificate offered by the client.
       type: keyword
     tls.client.issuer:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-issuer
       description: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       flat_name: tls.client.issuer
+      ignore_above: 1024
       level: extended
       name: client.issuer
       normalize: []
       short: Distinguished name of subject of the issuer of the x.509 certificate
         presented by the client.
-      type: wildcard
+      type: keyword
     tls.client.ja3:
       dashed_name: tls-client-ja3
       description: A hash that identifies clients based on how they perform an SSL/TLS
@@ -8633,19 +8556,18 @@ tls:
       short: Hostname the client is trying to connect to. Also called the SNI.
       type: keyword
     tls.client.subject:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-subject
       description: Distinguished name of subject of the x.509 certificate presented
         by the client.
       example: CN=myclient, OU=Documentation Team, DC=example, DC=com
       flat_name: tls.client.subject
+      ignore_above: 1024
       level: extended
       name: client.subject
       normalize: []
       short: Distinguished name of subject of the x.509 certificate presented by the
         client.
-      type: wildcard
+      type: keyword
     tls.client.supported_ciphers:
       dashed_name: tls-client-supported-ciphers
       description: Array of ciphers offered by the client during the client hello.
@@ -8701,19 +8623,18 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.client.x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: tls.client.x509.issuer.distinguished_name
+      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of issuing certificate authority.
-      type: wildcard
+      type: keyword
     tls.client.x509.issuer.locality:
       dashed_name: tls-client-x509-issuer-locality
       description: List of locality names (L)
@@ -8892,18 +8813,17 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.client.x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-client-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: tls.client.x509.subject.distinguished_name
+      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of the certificate subject entity.
-      type: wildcard
+      type: keyword
     tls.client.x509.subject.locality:
       dashed_name: tls-client-x509-subject-locality
       description: List of locality names (L)
@@ -9084,18 +9004,17 @@ tls:
         of certificate offered by the server.
       type: keyword
     tls.server.issuer:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-issuer
       description: Subject of the issuer of the x.509 certificate presented by the
         server.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       flat_name: tls.server.issuer
+      ignore_above: 1024
       level: extended
       name: server.issuer
       normalize: []
       short: Subject of the issuer of the x.509 certificate presented by the server.
-      type: wildcard
+      type: keyword
     tls.server.ja3s:
       dashed_name: tls-server-ja3s
       description: A hash that identifies servers based on how they perform an SSL/TLS
@@ -9132,17 +9051,16 @@ tls:
       short: Timestamp indicating when server certificate is first considered valid.
       type: date
     tls.server.subject:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-subject
       description: Subject of the x.509 certificate presented by the server.
       example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
       flat_name: tls.server.subject
+      ignore_above: 1024
       level: extended
       name: server.subject
       normalize: []
       short: Subject of the x.509 certificate presented by the server.
-      type: wildcard
+      type: keyword
     tls.server.x509.alternative_names:
       dashed_name: tls-server-x509-alternative-names
       description: List of subject alternative names (SAN). Name types vary by certificate
@@ -9185,19 +9103,18 @@ tls:
       short: List of country (C) codes
       type: keyword
     tls.server.x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: tls.server.x509.issuer.distinguished_name
+      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of issuing certificate authority.
-      type: wildcard
+      type: keyword
     tls.server.x509.issuer.locality:
       dashed_name: tls-server-x509-issuer-locality
       description: List of locality names (L)
@@ -9376,18 +9293,17 @@ tls:
       short: List of country (C) code
       type: keyword
     tls.server.x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: tls-server-x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: tls.server.x509.subject.distinguished_name
+      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       original_fieldset: x509
       short: Distinguished name (DN) of the certificate subject entity.
-      type: wildcard
+      type: keyword
     tls.server.x509.subject.locality:
       dashed_name: tls-server-x509-subject-locality
       description: List of locality names (L)
@@ -9553,8 +9469,6 @@ url:
     the breaking down into scheme, domain, path, and so on.
   fields:
     url.domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-domain
       description: 'Domain of the url, such as "www.elastic.co".
 
@@ -9566,11 +9480,12 @@ url:
         field.'
       example: www.elastic.co
       flat_name: url.domain
+      ignore_above: 1024
       level: extended
       name: domain
       normalize: []
       short: Domain of the url.
-      type: wildcard
+      type: keyword
     url.extension:
       dashed_name: url-extension
       description: 'The field contains the file extension from the original request
@@ -9604,14 +9519,13 @@ url:
       short: Portion of the url after the `#`.
       type: keyword
     url.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-full
       description: If full URLs are important to your use case, they should be stored
         in `url.full`, whether this field is reconstructed or present in the event
         source.
       example: https://www.elastic.co:443/search?q=elasticsearch#top
       flat_name: url.full
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: url.full.text
@@ -9621,10 +9535,8 @@ url:
       name: full
       normalize: []
       short: Full unparsed URL.
-      type: wildcard
+      type: keyword
     url.original:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-original
       description: 'Unmodified original url as seen in the event source.
 
@@ -9634,6 +9546,7 @@ url:
         This field is meant to represent the URL as it was observed, complete or not.'
       example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
       flat_name: url.original
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: url.original.text
@@ -9643,7 +9556,7 @@ url:
       name: original
       normalize: []
       short: Unmodified original url as seen in the event source.
-      type: wildcard
+      type: keyword
     url.password:
       dashed_name: url-password
       description: Password of the request.
@@ -9655,16 +9568,15 @@ url:
       short: Password of the request.
       type: keyword
     url.path:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-path
       description: Path of the request, such as "/search".
       flat_name: url.path
+      ignore_above: 1024
       level: extended
       name: path
       normalize: []
       short: Path of the request, such as "/search".
-      type: wildcard
+      type: keyword
     url.port:
       dashed_name: url-port
       description: Port of the request, such as 443.
@@ -9693,8 +9605,6 @@ url:
       short: Query string of the request.
       type: keyword
     url.registered_domain:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: url-registered-domain
       description: 'The highest registered url domain, stripped of the subdomain.
 
@@ -9705,11 +9615,12 @@ url:
         the last two labels will not work well for TLDs such as "co.uk".'
       example: example.com
       flat_name: url.registered_domain
+      ignore_above: 1024
       level: extended
       name: registered_domain
       normalize: []
       short: The highest registered url domain, stripped of the subdomain.
-      type: wildcard
+      type: keyword
     url.scheme:
       dashed_name: url-scheme
       description: 'Scheme of the request, such as "https".
@@ -9795,24 +9706,22 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.changes.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-changes-email
       description: User email address.
       flat_name: user.changes.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     user.changes.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-changes-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.changes.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.changes.full_name.text
@@ -9823,7 +9732,7 @@ user:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     user.changes.group.domain:
       dashed_name: user-changes-group-domain
       description: 'Name of the directory the group is a member of.
@@ -9886,12 +9795,11 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.changes.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-changes-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.changes.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.changes.name.text
@@ -9902,7 +9810,7 @@ user:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -9942,24 +9850,22 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.effective.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-effective-email
       description: User email address.
       flat_name: user.effective.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     user.effective.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-effective-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.effective.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.effective.full_name.text
@@ -9970,7 +9876,7 @@ user:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     user.effective.group.domain:
       dashed_name: user-effective-group-domain
       description: 'Name of the directory the group is a member of.
@@ -10033,12 +9939,11 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.effective.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-effective-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.effective.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.effective.name.text
@@ -10049,7 +9954,7 @@ user:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -10064,23 +9969,21 @@ user:
       short: Array of user roles at the time of the event.
       type: keyword
     user.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-email
       description: User email address.
       flat_name: user.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       short: User email address.
-      type: wildcard
+      type: keyword
     user.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.full_name.text
@@ -10090,7 +9993,7 @@ user:
       name: full_name
       normalize: []
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     user.group.domain:
       dashed_name: user-group-domain
       description: 'Name of the directory the group is a member of.
@@ -10151,12 +10054,11 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.name.text
@@ -10166,7 +10068,7 @@ user:
       name: name
       normalize: []
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     user.roles:
       dashed_name: user-roles
       description: Array of user roles at the time of the event.
@@ -10193,24 +10095,22 @@ user:
       short: Name of the directory the user is a member of.
       type: keyword
     user.target.email:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-target-email
       description: User email address.
       flat_name: user.target.email
+      ignore_above: 1024
       level: extended
       name: email
       normalize: []
       original_fieldset: user
       short: User email address.
-      type: wildcard
+      type: keyword
     user.target.full_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-target-full-name
       description: User's full name, if available.
       example: Albert Einstein
       flat_name: user.target.full_name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user.target.full_name.text
@@ -10221,7 +10121,7 @@ user:
       normalize: []
       original_fieldset: user
       short: User's full name, if available.
-      type: wildcard
+      type: keyword
     user.target.group.domain:
       dashed_name: user-target-group-domain
       description: 'Name of the directory the group is a member of.
@@ -10284,12 +10184,11 @@ user:
       short: Unique identifier of the user.
       type: keyword
     user.target.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-target-name
       description: Short name or login of the user.
       example: albert
       flat_name: user.target.name
+      ignore_above: 1024
       level: core
       multi_fields:
       - flat_name: user.target.name.text
@@ -10300,7 +10199,7 @@ user:
       normalize: []
       original_fieldset: user
       short: Short name or login of the user.
-      type: wildcard
+      type: keyword
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
@@ -10399,13 +10298,12 @@ user_agent:
       short: Name of the user agent.
       type: keyword
     user_agent.original:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-agent-original
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
         (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
       flat_name: user_agent.original
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user_agent.original.text
@@ -10415,7 +10313,7 @@ user_agent:
       name: original
       normalize: []
       short: Unparsed user_agent string.
-      type: wildcard
+      type: keyword
     user_agent.os.family:
       dashed_name: user-agent-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -10429,12 +10327,11 @@ user_agent:
       short: OS family (such as redhat, debian, freebsd, windows).
       type: keyword
     user_agent.os.full:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-agent-os-full
       description: Operating system name, including the version or code name.
       example: Mac OS Mojave
       flat_name: user_agent.os.full
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user_agent.os.full.text
@@ -10445,7 +10342,7 @@ user_agent:
       normalize: []
       original_fieldset: os
       short: Operating system name, including the version or code name.
-      type: wildcard
+      type: keyword
     user_agent.os.kernel:
       dashed_name: user-agent-os-kernel
       description: Operating system kernel version as a raw string.
@@ -10459,12 +10356,11 @@ user_agent:
       short: Operating system kernel version as a raw string.
       type: keyword
     user_agent.os.name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: user-agent-os-name
       description: Operating system name, without the version.
       example: Mac OS X
       flat_name: user_agent.os.name
+      ignore_above: 1024
       level: extended
       multi_fields:
       - flat_name: user_agent.os.name.text
@@ -10475,7 +10371,7 @@ user_agent:
       normalize: []
       original_fieldset: os
       short: Operating system name, without the version.
-      type: wildcard
+      type: keyword
     user_agent.os.platform:
       dashed_name: user-agent-os-platform
       description: Operating system platform (such centos, ubuntu, windows).
@@ -10841,18 +10737,17 @@ x509:
       short: List of country (C) codes
       type: keyword
     x509.issuer.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: x509-issuer-distinguished-name
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       flat_name: x509.issuer.distinguished_name
+      ignore_above: 1024
       level: extended
       name: issuer.distinguished_name
       normalize: []
       short: Distinguished name (DN) of issuing certificate authority.
-      type: wildcard
+      type: keyword
     x509.issuer.locality:
       dashed_name: x509-issuer-locality
       description: List of locality names (L)
@@ -11017,17 +10912,16 @@ x509:
       short: List of country (C) code
       type: keyword
     x509.subject.distinguished_name:
-      beta: Note the usage of `wildcard` type is considered beta. This field used
-        to be type `keyword`.
       dashed_name: x509-subject-distinguished-name
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       flat_name: x509.subject.distinguished_name
+      ignore_above: 1024
       level: extended
       name: subject.distinguished_name
       normalize: []
       short: Distinguished name (DN) of the certificate subject entity.
-      type: wildcard
+      type: keyword
     x509.subject.locality:
       dashed_name: x509-subject-locality
       description: List of locality names (L)
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 85c3f90970..04000cc76a 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -27,7 +27,8 @@
           "build": {
             "properties": {
               "original": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -73,7 +74,8 @@
                         "type": "text"
                       }
                     },
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               }
@@ -83,7 +85,8 @@
             "type": "long"
           },
           "domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "geo": {
             "properties": {
@@ -107,7 +110,8 @@
                 "type": "geo_point"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -143,7 +147,8 @@
             "type": "long"
           },
           "registered_domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -160,7 +165,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -169,7 +175,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -202,7 +209,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -331,7 +339,8 @@
                         "type": "text"
                       }
                     },
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               }
@@ -341,7 +350,8 @@
             "type": "long"
           },
           "domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "geo": {
             "properties": {
@@ -365,7 +375,8 @@
                 "type": "geo_point"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -401,7 +412,8 @@
             "type": "long"
           },
           "registered_domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -418,7 +430,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -427,7 +440,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -460,7 +474,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -548,7 +563,8 @@
                 "type": "keyword"
               },
               "original_file_name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "product": {
                 "ignore_above": 1024,
@@ -567,7 +583,8 @@
                 "type": "keyword"
               },
               "data": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "name": {
                 "ignore_above": 1024,
@@ -602,7 +619,8 @@
                 "type": "keyword"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "registered_domain": {
                 "ignore_above": 1024,
@@ -658,16 +676,20 @@
             "type": "text"
           },
           "stack_trace": {
+            "doc_values": false,
             "fields": {
               "text": {
                 "norms": false,
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "index": false,
+            "type": "keyword"
           },
           "type": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           }
         }
       },
@@ -809,7 +831,8 @@
             "type": "keyword"
           },
           "directory": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "drive_letter": {
             "ignore_above": 1,
@@ -881,7 +904,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "pe": {
             "properties": {
@@ -906,7 +930,8 @@
                 "type": "keyword"
               },
               "original_file_name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "product": {
                 "ignore_above": 1024,
@@ -924,7 +949,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "type": {
             "ignore_above": 1024,
@@ -951,7 +977,8 @@
                     "type": "keyword"
                   },
                   "distinguished_name": {
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "locality": {
                     "ignore_above": 1024,
@@ -1012,7 +1039,8 @@
                     "type": "keyword"
                   },
                   "distinguished_name": {
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "locality": {
                     "ignore_above": 1024,
@@ -1088,7 +1116,8 @@
                 "type": "geo_point"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -1101,7 +1130,8 @@
             }
           },
           "hostname": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "id": {
             "ignore_above": 1024,
@@ -1131,7 +1161,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "kernel": {
                 "ignore_above": 1024,
@@ -1144,7 +1175,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "platform": {
                 "ignore_above": 1024,
@@ -1174,7 +1206,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -1183,7 +1216,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -1216,7 +1250,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -1242,7 +1277,8 @@
                         "type": "text"
                       }
                     },
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -1262,7 +1298,8 @@
                 "type": "keyword"
               },
               "referrer": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1280,7 +1317,8 @@
                         "type": "text"
                       }
                     },
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -1310,7 +1348,8 @@
           "file": {
             "properties": {
               "path": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1319,7 +1358,8 @@
             "type": "keyword"
           },
           "logger": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "origin": {
             "properties": {
@@ -1517,7 +1557,8 @@
                 "type": "geo_point"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -1594,7 +1635,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "kernel": {
                 "ignore_above": 1024,
@@ -1607,7 +1649,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "platform": {
                 "ignore_above": 1024,
@@ -1658,7 +1701,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           }
         }
       },
@@ -1753,7 +1797,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "entity_id": {
             "ignore_above": 1024,
@@ -1766,7 +1811,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "exit_code": {
             "type": "long"
@@ -1802,7 +1848,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "parent": {
             "properties": {
@@ -1841,7 +1888,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "entity_id": {
                 "ignore_above": 1024,
@@ -1854,7 +1902,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "exit_code": {
                 "type": "long"
@@ -1890,7 +1939,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "pe": {
                 "properties": {
@@ -1915,7 +1965,8 @@
                     "type": "keyword"
                   },
                   "original_file_name": {
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "product": {
                     "ignore_above": 1024,
@@ -1941,7 +1992,8 @@
                     "type": "long"
                   },
                   "name": {
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
@@ -1952,7 +2004,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "uptime": {
                 "type": "long"
@@ -1964,7 +2017,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1991,7 +2045,8 @@
                 "type": "keyword"
               },
               "original_file_name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "product": {
                 "ignore_above": 1024,
@@ -2017,7 +2072,8 @@
                 "type": "long"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -2028,7 +2084,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "uptime": {
             "type": "long"
@@ -2040,7 +2097,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           }
         }
       },
@@ -2053,7 +2111,8 @@
                 "type": "keyword"
               },
               "strings": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "type": {
                 "ignore_above": 1024,
@@ -2066,10 +2125,12 @@
             "type": "keyword"
           },
           "key": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "path": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "value": {
             "ignore_above": 1024,
@@ -2160,7 +2221,8 @@
                         "type": "text"
                       }
                     },
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               }
@@ -2170,7 +2232,8 @@
             "type": "long"
           },
           "domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "geo": {
             "properties": {
@@ -2194,7 +2257,8 @@
                 "type": "geo_point"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -2230,7 +2294,8 @@
             "type": "long"
           },
           "registered_domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -2247,7 +2312,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -2256,7 +2322,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -2289,7 +2356,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -2355,7 +2423,8 @@
                         "type": "text"
                       }
                     },
-                    "type": "wildcard"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               }
@@ -2365,7 +2434,8 @@
             "type": "long"
           },
           "domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "geo": {
             "properties": {
@@ -2389,7 +2459,8 @@
                 "type": "geo_point"
               },
               "name": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "region_iso_code": {
                 "ignore_above": 1024,
@@ -2425,7 +2496,8 @@
             "type": "long"
           },
           "registered_domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "subdomain": {
             "ignore_above": 1024,
@@ -2442,7 +2514,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -2451,7 +2524,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -2484,7 +2558,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -2607,7 +2682,8 @@
                 }
               },
               "issuer": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "ja3": {
                 "ignore_above": 1024,
@@ -2624,7 +2700,8 @@
                 "type": "keyword"
               },
               "subject": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "supported_ciphers": {
                 "ignore_above": 1024,
@@ -2647,7 +2724,8 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "type": "wildcard"
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2708,7 +2786,8 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "type": "wildcard"
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2777,7 +2856,8 @@
                 }
               },
               "issuer": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "ja3s": {
                 "ignore_above": 1024,
@@ -2790,7 +2870,8 @@
                 "type": "date"
               },
               "subject": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "x509": {
                 "properties": {
@@ -2809,7 +2890,8 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "type": "wildcard"
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2870,7 +2952,8 @@
                         "type": "keyword"
                       },
                       "distinguished_name": {
-                        "type": "wildcard"
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
                       "locality": {
                         "ignore_above": 1024,
@@ -2927,7 +3010,8 @@
       "url": {
         "properties": {
           "domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "extension": {
             "ignore_above": 1024,
@@ -2944,7 +3028,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "original": {
             "fields": {
@@ -2953,14 +3038,16 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "password": {
             "ignore_above": 1024,
             "type": "keyword"
           },
           "path": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "port": {
             "type": "long"
@@ -2970,7 +3057,8 @@
             "type": "keyword"
           },
           "registered_domain": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "scheme": {
             "ignore_above": 1024,
@@ -2999,7 +3087,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -3008,7 +3097,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -3041,7 +3131,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -3060,7 +3151,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -3069,7 +3161,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -3102,7 +3195,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -3111,7 +3205,8 @@
             }
           },
           "email": {
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "full_name": {
             "fields": {
@@ -3120,7 +3215,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "group": {
             "properties": {
@@ -3153,7 +3249,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "roles": {
             "ignore_above": 1024,
@@ -3166,7 +3263,8 @@
                 "type": "keyword"
               },
               "email": {
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -3175,7 +3273,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "group": {
                 "properties": {
@@ -3208,7 +3307,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "roles": {
                 "ignore_above": 1024,
@@ -3239,7 +3339,8 @@
                 "type": "text"
               }
             },
-            "type": "wildcard"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "os": {
             "properties": {
@@ -3254,7 +3355,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "kernel": {
                 "ignore_above": 1024,
@@ -3267,7 +3369,8 @@
                     "type": "text"
                   }
                 },
-                "type": "wildcard"
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "platform": {
                 "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json
index d7921d9adf..c2b08b44de 100644
--- a/generated/elasticsearch/component/agent.json
+++ b/generated/elasticsearch/component/agent.json
@@ -11,7 +11,8 @@
             "build": {
               "properties": {
                 "original": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
index c0840d578f..4813913258 100644
--- a/generated/elasticsearch/component/client.json
+++ b/generated/elasticsearch/component/client.json
@@ -26,7 +26,8 @@
                           "type": "text"
                         }
                       },
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 }
@@ -36,7 +37,8 @@
               "type": "long"
             },
             "domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "geo": {
               "properties": {
@@ -60,7 +62,8 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -96,7 +99,8 @@
               "type": "long"
             },
             "registered_domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -113,7 +117,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -122,7 +127,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -155,7 +161,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
index cf63935a0a..c73b493e86 100644
--- a/generated/elasticsearch/component/destination.json
+++ b/generated/elasticsearch/component/destination.json
@@ -26,7 +26,8 @@
                           "type": "text"
                         }
                       },
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 }
@@ -36,7 +37,8 @@
               "type": "long"
             },
             "domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "geo": {
               "properties": {
@@ -60,7 +62,8 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -96,7 +99,8 @@
               "type": "long"
             },
             "registered_domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -113,7 +117,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -122,7 +127,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -155,7 +161,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index 5c4ff06d3f..00e5bc3428 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -84,7 +84,8 @@
                   "type": "keyword"
                 },
                 "original_file_name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "product": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json
index f66115ccb1..a27dd8b739 100644
--- a/generated/elasticsearch/component/dns.json
+++ b/generated/elasticsearch/component/dns.json
@@ -15,7 +15,8 @@
                   "type": "keyword"
                 },
                 "data": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "name": {
                   "ignore_above": 1024,
@@ -50,7 +51,8 @@
                   "type": "keyword"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "registered_domain": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json
index 328259dd49..1364cd968c 100644
--- a/generated/elasticsearch/component/error.json
+++ b/generated/elasticsearch/component/error.json
@@ -21,16 +21,20 @@
               "type": "text"
             },
             "stack_trace": {
+              "doc_values": false,
               "fields": {
                 "text": {
                   "norms": false,
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
             },
             "type": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         }
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index 10b9ed8f62..ddabf1bb60 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -47,7 +47,8 @@
               "type": "keyword"
             },
             "directory": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "drive_letter": {
               "ignore_above": 1,
@@ -119,7 +120,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "pe": {
               "properties": {
@@ -144,7 +146,8 @@
                   "type": "keyword"
                 },
                 "original_file_name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "product": {
                   "ignore_above": 1024,
@@ -162,7 +165,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "type": {
               "ignore_above": 1024,
@@ -189,7 +193,8 @@
                       "type": "keyword"
                     },
                     "distinguished_name": {
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "locality": {
                       "ignore_above": 1024,
@@ -250,7 +255,8 @@
                       "type": "keyword"
                     },
                     "distinguished_name": {
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "locality": {
                       "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index c0e3c0fcf5..3d0b3a8cf8 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -38,7 +38,8 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -51,7 +52,8 @@
               }
             },
             "hostname": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
@@ -81,7 +83,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "kernel": {
                   "ignore_above": 1024,
@@ -94,7 +97,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "platform": {
                   "ignore_above": 1024,
@@ -124,7 +128,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -133,7 +138,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -166,7 +172,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
index d208148bdb..daff315854 100644
--- a/generated/elasticsearch/component/http.json
+++ b/generated/elasticsearch/component/http.json
@@ -22,7 +22,8 @@
                           "type": "text"
                         }
                       },
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -42,7 +43,8 @@
                   "type": "keyword"
                 },
                 "referrer": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -60,7 +62,8 @@
                           "type": "text"
                         }
                       },
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json
index b699db361d..43bf92832c 100644
--- a/generated/elasticsearch/component/log.json
+++ b/generated/elasticsearch/component/log.json
@@ -11,7 +11,8 @@
             "file": {
               "properties": {
                 "path": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -20,7 +21,8 @@
               "type": "keyword"
             },
             "logger": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "origin": {
               "properties": {
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
index 30dce73707..049625241b 100644
--- a/generated/elasticsearch/component/observer.json
+++ b/generated/elasticsearch/component/observer.json
@@ -67,7 +67,8 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -144,7 +145,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "kernel": {
                   "ignore_above": 1024,
@@ -157,7 +159,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "platform": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json
index d9cb399e89..8d218314ee 100644
--- a/generated/elasticsearch/component/organization.json
+++ b/generated/elasticsearch/component/organization.json
@@ -19,7 +19,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         }
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index f214a3c6bd..4983b405b0 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -43,7 +43,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "entity_id": {
               "ignore_above": 1024,
@@ -56,7 +57,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "exit_code": {
               "type": "long"
@@ -92,7 +94,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "parent": {
               "properties": {
@@ -131,7 +134,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "entity_id": {
                   "ignore_above": 1024,
@@ -144,7 +148,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "exit_code": {
                   "type": "long"
@@ -180,7 +185,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "pe": {
                   "properties": {
@@ -205,7 +211,8 @@
                       "type": "keyword"
                     },
                     "original_file_name": {
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "product": {
                       "ignore_above": 1024,
@@ -231,7 +238,8 @@
                       "type": "long"
                     },
                     "name": {
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -242,7 +250,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "uptime": {
                   "type": "long"
@@ -254,7 +263,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -281,7 +291,8 @@
                   "type": "keyword"
                 },
                 "original_file_name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "product": {
                   "ignore_above": 1024,
@@ -307,7 +318,8 @@
                   "type": "long"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -318,7 +330,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "uptime": {
               "type": "long"
@@ -330,7 +343,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         }
diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json
index 0ed4b2c47c..c7daf11d16 100644
--- a/generated/elasticsearch/component/registry.json
+++ b/generated/elasticsearch/component/registry.json
@@ -15,7 +15,8 @@
                   "type": "keyword"
                 },
                 "strings": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "type": {
                   "ignore_above": 1024,
@@ -28,10 +29,12 @@
               "type": "keyword"
             },
             "key": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "path": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "value": {
               "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
index 39f925b650..bdd746f660 100644
--- a/generated/elasticsearch/component/server.json
+++ b/generated/elasticsearch/component/server.json
@@ -26,7 +26,8 @@
                           "type": "text"
                         }
                       },
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 }
@@ -36,7 +37,8 @@
               "type": "long"
             },
             "domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "geo": {
               "properties": {
@@ -60,7 +62,8 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -96,7 +99,8 @@
               "type": "long"
             },
             "registered_domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -113,7 +117,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -122,7 +127,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -155,7 +161,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
index 5a00a9eb52..cb236d53f0 100644
--- a/generated/elasticsearch/component/source.json
+++ b/generated/elasticsearch/component/source.json
@@ -26,7 +26,8 @@
                           "type": "text"
                         }
                       },
-                      "type": "wildcard"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 }
@@ -36,7 +37,8 @@
               "type": "long"
             },
             "domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "geo": {
               "properties": {
@@ -60,7 +62,8 @@
                   "type": "geo_point"
                 },
                 "name": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
@@ -96,7 +99,8 @@
               "type": "long"
             },
             "registered_domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "subdomain": {
               "ignore_above": 1024,
@@ -113,7 +117,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -122,7 +127,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -155,7 +161,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json
index 35a5c46faf..4621cedde0 100644
--- a/generated/elasticsearch/component/tls.json
+++ b/generated/elasticsearch/component/tls.json
@@ -39,7 +39,8 @@
                   }
                 },
                 "issuer": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "ja3": {
                   "ignore_above": 1024,
@@ -56,7 +57,8 @@
                   "type": "keyword"
                 },
                 "subject": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "supported_ciphers": {
                   "ignore_above": 1024,
@@ -79,7 +81,8 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "type": "wildcard"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "locality": {
                           "ignore_above": 1024,
@@ -140,7 +143,8 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "type": "wildcard"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "locality": {
                           "ignore_above": 1024,
@@ -209,7 +213,8 @@
                   }
                 },
                 "issuer": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "ja3s": {
                   "ignore_above": 1024,
@@ -222,7 +227,8 @@
                   "type": "date"
                 },
                 "subject": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "x509": {
                   "properties": {
@@ -241,7 +247,8 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "type": "wildcard"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "locality": {
                           "ignore_above": 1024,
@@ -302,7 +309,8 @@
                           "type": "keyword"
                         },
                         "distinguished_name": {
-                          "type": "wildcard"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "locality": {
                           "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json
index 0975aa95ce..8b7b56aa0d 100644
--- a/generated/elasticsearch/component/url.json
+++ b/generated/elasticsearch/component/url.json
@@ -9,7 +9,8 @@
         "url": {
           "properties": {
             "domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "extension": {
               "ignore_above": 1024,
@@ -26,7 +27,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "original": {
               "fields": {
@@ -35,14 +37,16 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "password": {
               "ignore_above": 1024,
               "type": "keyword"
             },
             "path": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "port": {
               "type": "long"
@@ -52,7 +56,8 @@
               "type": "keyword"
             },
             "registered_domain": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "scheme": {
               "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json
index 02dee92890..af3bc6bf2f 100644
--- a/generated/elasticsearch/component/user.json
+++ b/generated/elasticsearch/component/user.json
@@ -15,7 +15,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -24,7 +25,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -57,7 +59,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
@@ -76,7 +79,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -85,7 +89,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -118,7 +123,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
@@ -127,7 +133,8 @@
               }
             },
             "email": {
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "full_name": {
               "fields": {
@@ -136,7 +143,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "group": {
               "properties": {
@@ -169,7 +177,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "roles": {
               "ignore_above": 1024,
@@ -182,7 +191,8 @@
                   "type": "keyword"
                 },
                 "email": {
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "full_name": {
                   "fields": {
@@ -191,7 +201,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "group": {
                   "properties": {
@@ -224,7 +235,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json
index 6ecb7d46e4..be9177da45 100644
--- a/generated/elasticsearch/component/user_agent.json
+++ b/generated/elasticsearch/component/user_agent.json
@@ -27,7 +27,8 @@
                   "type": "text"
                 }
               },
-              "type": "wildcard"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "os": {
               "properties": {
@@ -42,7 +43,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "kernel": {
                   "ignore_above": 1024,
@@ -55,7 +57,8 @@
                       "type": "text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "platform": {
                   "ignore_above": 1024,
diff --git a/schemas/agent.yml b/schemas/agent.yml
index ada014aecb..a7758e90ce 100644
--- a/schemas/agent.yml
+++ b/schemas/agent.yml
@@ -24,9 +24,8 @@
 
     - name: build.original
       level: core
-      type: wildcard
+      type: keyword
       short: Extended build information for the agent.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Extended build information for the agent.
 
diff --git a/schemas/as.yml b/schemas/as.yml
index 0094a46a9a..952d7febeb 100644
--- a/schemas/as.yml
+++ b/schemas/as.yml
@@ -29,8 +29,7 @@
 
     - name: organization.name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Organization name.
       example: Google LLC
diff --git a/schemas/client.yml b/schemas/client.yml
index b61329316e..e63ab70276 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -53,16 +53,14 @@
 
     - name: domain
       level: core
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Client domain.
 
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
       short: The highest registered client domain, stripped of the subdomain.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The highest registered client domain, stripped of the subdomain.
 
diff --git a/schemas/destination.yml b/schemas/destination.yml
index ab6979e346..a1e91958f7 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -48,15 +48,13 @@
 
     - name: domain
       level: core
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Destination domain.
 
     - name: registered_domain
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       short: The highest registered destination domain, stripped of the subdomain.
       description: >
         The highest registered destination domain, stripped of the subdomain.
diff --git a/schemas/dns.yml b/schemas/dns.yml
index 220a723967..afe11a190a 100644
--- a/schemas/dns.yml
+++ b/schemas/dns.yml
@@ -66,9 +66,8 @@
 
     - name: question.name
       level: extended
-      type: wildcard
+      type: keyword
       short: The name being queried.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The name being queried.
 
@@ -186,9 +185,8 @@
 
     - name: answers.data
       level: extended
-      type: wildcard
+      type: keyword
       short: The data describing the resource.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The data describing the resource.
 
diff --git a/schemas/error.yml b/schemas/error.yml
index b1ae66f588..7d96f09a4b 100644
--- a/schemas/error.yml
+++ b/schemas/error.yml
@@ -31,16 +31,15 @@
 
     - name: type
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       example: java.lang.NullPointerException
       description: >
         The type of the error, for example the class name of the exception.
 
     - name: stack_trace
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
+      index: false
       description: >
         The stack trace of this error in plain text.
       multi_fields:
diff --git a/schemas/file.yml b/schemas/file.yml
index 419116c8da..545b4661fa 100644
--- a/schemas/file.yml
+++ b/schemas/file.yml
@@ -33,9 +33,8 @@
 
     - name: directory
       level: extended
-      type: wildcard
+      type: keyword
       short: Directory where the file is located.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Directory where the file is located. It should include the drive letter,
         when appropriate.
@@ -54,9 +53,8 @@
 
     - name: path
       level: extended
-      type: wildcard
+      type: keyword
       short: Full path to the file, including the file name.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Full path to the file, including the file name. It should include the
         drive letter, when appropriate.
@@ -67,8 +65,7 @@
 
     - name: target_path
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: Target path for symlinks.
       multi_fields:
         - type: text
diff --git a/schemas/geo.yml b/schemas/geo.yml
index a6654d982f..347d60829e 100644
--- a/schemas/geo.yml
+++ b/schemas/geo.yml
@@ -71,9 +71,8 @@
 
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
       short: User-defined description of a location.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         User-defined description of a location, at the level of granularity they care about.
 
diff --git a/schemas/host.yml b/schemas/host.yml
index f751d9b3ff..2fdbd9e4f7 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -14,9 +14,8 @@
 
     - name: hostname
       level: core
-      type: wildcard
+      type: keyword
       short: Hostname of the host.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Hostname of the host.
 
diff --git a/schemas/http.yml b/schemas/http.yml
index 75475199b4..1a5531e5a5 100644
--- a/schemas/http.yml
+++ b/schemas/http.yml
@@ -15,9 +15,9 @@
       description: >
         A unique identifier for each HTTP request to correlate logs between clients
         and servers in transactions.
-        
+
         The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
-        or `X-Correlation-ID`. 
+        or `X-Correlation-ID`.
 
       example: 123e4567-e89b-12d3-a456-426614174000
 
@@ -55,8 +55,7 @@
 
     - name: request.body.content
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         The full HTTP request body.
       example: Hello world
@@ -66,8 +65,7 @@
 
     - name: request.referrer
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Referrer for this HTTP request.
       example: https://blog.example.com/
@@ -96,8 +94,7 @@
 
     - name: response.body.content
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         The full HTTP response body.
       example: Hello world
diff --git a/schemas/log.yml b/schemas/log.yml
index 991b9235a0..fed4c063dd 100644
--- a/schemas/log.yml
+++ b/schemas/log.yml
@@ -31,9 +31,8 @@
 
     - name: file.path
       level: extended
-      type: wildcard
+      type: keyword
       short: Full path to the log file this event came from.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Full path to the log file this event came from, including the file name.
         It should include the drive letter, when appropriate.
@@ -64,10 +63,9 @@
 
     - name: logger
       level: core
-      type: wildcard
+      type: keyword
       example: org.elasticsearch.bootstrap.Bootstrap
       short: Name of the logger.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
 
diff --git a/schemas/organization.yml b/schemas/organization.yml
index 4eee9ce663..dcd2358927 100644
--- a/schemas/organization.yml
+++ b/schemas/organization.yml
@@ -14,8 +14,7 @@
 
     - name: name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Organization name.
       multi_fields:
diff --git a/schemas/os.yml b/schemas/os.yml
index 9a93fd933b..8b8cfcdad7 100644
--- a/schemas/os.yml
+++ b/schemas/os.yml
@@ -36,9 +36,8 @@
 
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
       example: "Mac OS X"
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Operating system name, without the version.
       multi_fields:
@@ -47,9 +46,8 @@
 
     - name: full
       level: extended
-      type: wildcard
+      type: keyword
       example: "Mac OS Mojave"
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Operating system name, including the version or code name.
       multi_fields:
diff --git a/schemas/pe.yml b/schemas/pe.yml
index 8a7e2ddaf8..126fb16136 100644
--- a/schemas/pe.yml
+++ b/schemas/pe.yml
@@ -13,8 +13,7 @@
   fields:
     - name: original_file_name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
 
diff --git a/schemas/process.yml b/schemas/process.yml
index 8c9661cebd..13ec63c07f 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -44,9 +44,8 @@
 
     - name: name
       level: extended
-      type: wildcard
+      type: keyword
       short: Process name.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Process name.
 
@@ -73,9 +72,8 @@
 
     - name: command_line
       level: extended
-      type: wildcard
+      type: keyword
       short: Full command line that started the process.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Full command line that started the process, including the absolute path
         to the executable, and all arguments.
@@ -112,8 +110,7 @@
 
     - name: executable
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Absolute path to the process executable.
       example: /usr/bin/ssh
@@ -123,9 +120,8 @@
 
     - name: title
       level: extended
-      type: wildcard
+      type: keyword
       short: Process title.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Process title.
 
@@ -145,8 +141,7 @@
 
     - name: thread.name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       example: 'thread-0'
       description: >
         Thread name.
@@ -167,9 +162,8 @@
 
     - name: working_directory
       level: extended
-      type: wildcard
+      type: keyword
       example: /home/alice
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The working directory of the process.
       multi_fields:
diff --git a/schemas/registry.yml b/schemas/registry.yml
index 576727087e..bf8670d84e 100644
--- a/schemas/registry.yml
+++ b/schemas/registry.yml
@@ -14,8 +14,7 @@
 
     - name: key
       level: core
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: Hive-relative path of keys.
       example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
 
@@ -27,8 +26,7 @@
 
     - name: path
       level: core
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: Full path, including hive, key and value
       example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
 
@@ -40,9 +38,8 @@
 
     - name: data.strings
       level: core
-      type: wildcard
+      type: keyword
       short: List of strings representing what was written to the registry.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       example: '["C:\rta\red_ttp\bin\myapp.exe"]'
       description: >
         Content when writing string types.
diff --git a/schemas/server.yml b/schemas/server.yml
index b8d6924696..867b3bd03c 100644
--- a/schemas/server.yml
+++ b/schemas/server.yml
@@ -53,15 +53,13 @@
 
     - name: domain
       level: core
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Server domain.
 
     - name: registered_domain
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       short: The highest registered server domain, stripped of the subdomain.
       description: >
         The highest registered server domain, stripped of the subdomain.
diff --git a/schemas/source.yml b/schemas/source.yml
index 581d5c062b..268b975312 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -48,16 +48,14 @@
 
     - name: domain
       level: core
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Source domain.
 
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
       short: The highest registered source domain, stripped of the subdomain.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The highest registered source domain, stripped of the subdomain.
 
diff --git a/schemas/tls.yml b/schemas/tls.yml
index 781aafb66e..3ecacb041a 100644
--- a/schemas/tls.yml
+++ b/schemas/tls.yml
@@ -78,16 +78,14 @@
         - array
 
     - name: client.subject
-      type: wildcard
+      type: keyword
       level: extended
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Distinguished name of subject of the x.509 certificate presented by the client.
       example: "CN=myclient, OU=Documentation Team, DC=example, DC=com"
 
     - name: client.issuer
-      type: wildcard
+      type: keyword
       level: extended
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
       example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"
 
@@ -159,16 +157,14 @@
       example: 394441ab65754e2207b1e1b457b3641d
 
     - name: server.subject
-      type: wildcard
+      type: keyword
       level: extended
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Subject of the x.509 certificate presented by the server.
       example: "CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com"
 
     - name: server.issuer
-      type: wildcard
+      type: keyword
       level: extended
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: Subject of the issuer of the x.509 certificate presented by the server.
       example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"
 
diff --git a/schemas/url.yml b/schemas/url.yml
index a264e59395..88a0278891 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -10,8 +10,7 @@
 
     - name: original
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       short: Unmodified original url as seen in the event source.
       description: >
         Unmodified original url as seen in the event source.
@@ -29,9 +28,8 @@
 
     - name: full
       level: extended
-      type: wildcard
+      type: keyword
       short: Full unparsed URL.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         If full URLs are important to your use case, they should be stored in
         `url.full`, whether this field is reconstructed or present in the
@@ -53,9 +51,8 @@
 
     - name: domain
       level: extended
-      type: wildcard
+      type: keyword
       short: Domain of the url.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Domain of the url, such as "www.elastic.co".
 
@@ -68,9 +65,8 @@
 
     - name: registered_domain
       level: extended
-      type: wildcard
+      type: keyword
       short: The highest registered url domain, stripped of the subdomain.
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         The highest registered url domain, stripped of the subdomain.
 
@@ -120,8 +116,7 @@
 
     - name: path
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         Path of the request, such as "/search".
 
diff --git a/schemas/user.yml b/schemas/user.yml
index 6e010627cf..0fe7a32411 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -48,9 +48,8 @@
 
     - name: name
       level: core
-      type: wildcard
+      type: keyword
       example: albert
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
       description: >
         Short name or login of the user.
       multi_fields:
@@ -59,8 +58,7 @@
 
     - name: full_name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       example: Albert Einstein
       description: >
         User's full name, if available.
@@ -70,8 +68,7 @@
 
     - name: email
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: >
         User email address.
 
diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml
index 84388859cf..9c18c20827 100644
--- a/schemas/user_agent.yml
+++ b/schemas/user_agent.yml
@@ -12,8 +12,7 @@
 
     - name: original
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       multi_fields:
       - type: text
         name: text
diff --git a/schemas/x509.yml b/schemas/x509.yml
index a36e8a91a1..124551c96c 100644
--- a/schemas/x509.yml
+++ b/schemas/x509.yml
@@ -37,8 +37,7 @@
 
     - name: issuer.distinguished_name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: Distinguished name (DN) of issuing certificate authority.
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
 
@@ -114,8 +113,7 @@
 
     - name: subject.distinguished_name
       level: extended
-      type: wildcard
-      beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`.
+      type: keyword
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
 
diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md
index 15e2935a61..dff825a597 100644
--- a/use-cases/auditbeat.md
+++ b/use-cases/auditbeat.md
@@ -9,8 +9,8 @@ ECS usage in Auditbeat.
 |---|---|---|---|---|
 | [event.module](../README.md#event.module)  | Auditbeat module name. | core | keyword | `apache` |
 | <a name="file.&ast;"></a>*file.&ast;* | *File attributes.<br/>* |  |  |  |
-| [file.path](../README.md#file.path)  | The path to the file. | extended | wildcard | `/home/alice/example.png` |
-| [file.target_path](../README.md#file.target_path)  | The target path for symlinks. | extended | wildcard |  |
+| [file.path](../README.md#file.path)  | The path to the file. | extended | keyword | `/home/alice/example.png` |
+| [file.target_path](../README.md#file.target_path)  | The target path for symlinks. | extended | keyword |  |
 | [file.type](../README.md#file.type)  | The file type (file, dir, or symlink). | extended | keyword | `file` |
 | [file.device](../README.md#file.device)  | The device. | extended | keyword | `sda` |
 | [file.inode](../README.md#file.inode)  | The inode representing the file in the filesystem. | extended | keyword | `256383` |
diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md
index 293c2fb190..a9ef41840f 100644
--- a/use-cases/filebeat-apache-access.md
+++ b/use-cases/filebeat-apache-access.md
@@ -13,7 +13,7 @@ ECS fields used in Filebeat for the apache module.
 | [event.module](../README.md#event.module)  | Currently fileset.module | core | keyword | `apache` |
 | [event.dataset](../README.md#event.dataset)  | Currenly fileset.name | core | keyword | `access` |
 | [source.ip](../README.md#source.ip)  | Source ip of the request. Currently apache.access.remote_ip | core | ip | `192.168.1.1` |
-| [user.name](../README.md#user.name)  | User name in the request. Currently apache.access.user_name | core | wildcard | `ruflin` |
+| [user.name](../README.md#user.name)  | User name in the request. Currently apache.access.user_name | core | keyword | `ruflin` |
 | <a name="http.method"></a>*http.method* | *Http method, currently apache.access.method* | (use case) | keyword | `GET` |
 | <a name="http.url"></a>*http.url* | *Http url, currently apache.access.url* | (use case) | keyword | `http://elastic.co/` |
 | [http.version](../README.md#http.version)  | Http version, currently apache.access.http_version | extended | keyword | `1.1` |
@@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module.
 | <a name="http.response.body_sent.bytes"></a>*http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` |
 | <a name="http.referer"></a>*http.referer* | *Http referrer code, currently apache.access.referrer<br/>NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *User agent fields as in schema. Currently under apache.access.user_agent.*<br/>* |  |  |  |
-| [user_agent.original](../README.md#user_agent.original)  | Original user agent. Currently apache.access.agent | extended | wildcard | `http://elastic.co/` |
+| [user_agent.original](../README.md#user_agent.original)  | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` |
 | <a name="geoip.&ast;"></a>*geoip.&ast;* | *User agent fields as in schema. Currently under apache.access.geoip.*<br/>These are extracted from source.ip<br/>Should they be under source.geoip?<br/>* |  |  |  |
 | <a name="geoip...."></a>*geoip....* | *All geoip fields.* | (use case) | keyword |  |
 
diff --git a/use-cases/kubernetes.md b/use-cases/kubernetes.md
index 057ed289cb..5588da6060 100644
--- a/use-cases/kubernetes.md
+++ b/use-cases/kubernetes.md
@@ -10,7 +10,7 @@ You can monitor containers running in a Kubernetes cluster by adding Kubernetes-
 |---|---|---|---|---|
 | [container.id](../README.md#container.id)  | Unique container id. | core | keyword | `fdbef803fa2b` |
 | [container.name](../README.md#container.name)  | Container name. | extended | keyword |  |
-| [host.hostname](../README.md#host.hostname)  | Hostname of the host.<br/>It normally contains what the `hostname` command returns on the host machine. | core | wildcard | `kube-high-cpu-42` |
+| [host.hostname](../README.md#host.hostname)  | Hostname of the host.<br/>It normally contains what the `hostname` command returns on the host machine. | core | keyword | `kube-high-cpu-42` |
 | <a name="kubernetes.pod.name"></a>*kubernetes.pod.name* | *Kubernetes pod name* | (use case) | keyword | `foo-webserver` |
 | <a name="kubernetes.namespace"></a>*kubernetes.namespace* | *Kubernetes namespace* | (use case) | keyword | `foo-team` |
 | <a name="kubernetes.labels"></a>*kubernetes.labels* | *Kubernetes labels map* | (use case) | object |  |
diff --git a/use-cases/metricbeat.md b/use-cases/metricbeat.md
index 79b3369efd..c573a7897e 100644
--- a/use-cases/metricbeat.md
+++ b/use-cases/metricbeat.md
@@ -21,7 +21,7 @@ ECS fields used Metricbeat.
 | <a name="error.&ast;"></a>*error.&ast;* | *Error namespace<br/>Use for errors which can happen during fetching information for a service.<br/>* |  |  |  |
 | [error.message](../README.md#error.message)  | Error message returned by the service during fetching metrics. | core | text |  |
 | [error.code](../README.md#error.code)  | Error code returned by the service during fetching metrics. | core | keyword |  |
-| [host.hostname](../README.md#host.hostname)  | Hostname of the system metricbeat is running on or user defined name. | core | wildcard |  |
+| [host.hostname](../README.md#host.hostname)  | Hostname of the system metricbeat is running on or user defined name. | core | keyword |  |
 | <a name="host.timezone.offset.sec"></a>*host.timezone.offset.sec* | *Timezone offset of the host in seconds.* | (use case) | long |  |
 | [host.id](../README.md#host.id)  | Unique host id. | core | keyword |  |
 | [event.module](../README.md#event.module)  | Name of the module this data is coming from. | core | keyword | `mysql` |
diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md
index d70944b48c..57f9a96062 100644
--- a/use-cases/web-logs.md
+++ b/use-cases/web-logs.md
@@ -12,12 +12,12 @@ Using the fields as represented here is not expected to conflict with ECS, but m
 | [@timestamp](../README.md#@timestamp)  | Time at which the response was sent, and the web server log created. | core | date | `2016-05-23T08:05:34.853Z` |
 | <a name="http.&ast;"></a>*http.&ast;* | *Fields related to HTTP requests and responses.<br/>* |  |  |  |
 | [http.request.method](../README.md#http.request.method)  | Http request method. | extended | keyword | `GET, POST, PUT` |
-| [http.request.referrer](../README.md#http.request.referrer)  | Referrer for this HTTP request. | extended | wildcard | `https://blog.example.com/` |
+| [http.request.referrer](../README.md#http.request.referrer)  | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` |
 | [http.response.status_code](../README.md#http.response.status_code)  | Http response status code. | extended | long | `404` |
-| [http.response.body.content](../README.md#http.response.body.content)  | The full http response body. | extended | wildcard | `Hello world` |
+| [http.response.body.content](../README.md#http.response.body.content)  | The full http response body. | extended | keyword | `Hello world` |
 | [http.version](../README.md#http.version)  | Http version. | extended | keyword | `1.1` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.<br/>* |  |  |  |
-| [user_agent.original](../README.md#user_agent.original)  | Unparsed version of the user_agent. | extended | wildcard | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` |
+| [user_agent.original](../README.md#user_agent.original)  | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` |
 | <a name="user_agent.device"></a>*user_agent.device* | *Name of the physical device.* | (use case) | keyword |  |
 | [user_agent.version](../README.md#user_agent.version)  | Version of the physical device. | extended | keyword | `12.0` |
 | <a name="user_agent.major"></a>*user_agent.major* | *Major version of the user agent.* | (use case) | long |  |

From 324c0bc0e8fe1e1014bf2ffbbb28b8008d189355 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 2 Feb 2021 14:34:54 -0600
Subject: [PATCH 73/90] Add scaled_float type to go generator (#1250) (#1251)

* add scaled_float

* changelog
---
 CHANGELOG.next.md                  | 1 +
 scripts/cmd/gocodegen/gocodegen.go | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 90e3574f3f..bc78ca8138 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -33,6 +33,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 * Clean up `event.reference` description. #1181
+* Go code generator fails if `scaled_float` type is used. #1250
 
 #### Added
 
diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go
index 8fff5ed5d9..4ec88739f9 100644
--- a/scripts/cmd/gocodegen/gocodegen.go
+++ b/scripts/cmd/gocodegen/gocodegen.go
@@ -280,7 +280,7 @@ func goDataType(fieldName, elasticsearchDataType string) string {
 		return "int64"
 	case "integer":
 		return "int32"
-	case "float":
+	case "float", "scaled_float":
 		return "float64"
 	case "date":
 		return "time.Time"

From c8aea733031d0f4919673ee8c3c43a2848e82c25 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 10 Feb 2021 15:00:38 -0600
Subject: [PATCH 74/90] Add categorization fields usage docs (#1242) (#1257)

---
 docs/field-values-usage.asciidoc  | 175 ++++++++++++++++++++++++++++++
 docs/field-values.asciidoc        |  10 ++
 scripts/templates/field_values.j2 |   9 ++
 3 files changed, 194 insertions(+)
 create mode 100644 docs/field-values-usage.asciidoc

diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc
new file mode 100644
index 0000000000..88905ba3bc
--- /dev/null
+++ b/docs/field-values-usage.asciidoc
@@ -0,0 +1,175 @@
+[[ecs-using-the-categorization-fields]]
+=== Using the Categorization Fields
+
+The event categorization fields work together to identify and group similar events from multiple data sources.
+
+These general principles can help guide the categorization process:
+
+* Events from multiple data sources that are similar enough to be viewed or analyzed together, should fall into the same `event.category` field.
+* Both `event.category` and `event.type` are arrays and may be populated with multiple allowed values, if the event can be reasonably classified into more than one category and/or type.
+* `event.kind`, `event.category`, `event.type` and `event.outcome` all have allowed values. This is to normalize these fields. Values that aren't in the list of allowed values should not be used.
+* Values of `event.outcome` are a very limited set to indicate success or failure. Domain-specific actions, such as deny and allow, that could be considered outcomes are not
+  captured in the `event.outcome` field, but rather in the `event.type` and/or `event.action` fields.
+* Values of `event.category`, `event.type`, and `event.outcome` are consistent across all values of `event.kind`.
+* When a specific event doesn't fit into any of the defined allowed categorization values, the field should be left empty.
+
+The following examples detail populating the categorization fields and provides some context for the classification decisions.
+
+[float]
+==== Firewall blocking a network connection
+
+This event from a firewall describes a successfully blocked network connection:
+
+[source,json]
+----
+...
+  {
+    "source": {
+      "address": "10.42.42.42",
+      "ip": "10.42.42.42",
+      "port": 38842
+    },
+    "destination": {
+      "address": "10.42.42.1",
+      "ip": "10.42.42.1",
+      "port": 443
+    },
+    "rule": {
+      "name": "wan-lan",
+      "id": "default"
+    },
+    ...
+    "event": {
+      "kind": "event", <1>
+      "category": [ <2>
+        "network"
+      ],
+      "type": [ <3>
+        "connection",
+        "denied"
+      ],
+      "outcome": "success", <4>
+      "action": "dropped" <5>
+    }
+  }
+...
+----
+
+<1> Classifying as an `event`.
+<2> `event.category` categorizes this event as `network` activity.
+<3> The event was both an attempted network `connection` and was `denied`.
+<4> The blocking of this connection is expected. The outcome is a `success` from the perspective of the firewall emitting the event.
+<5> The firewall classifies this denied connection as `dropped`, and this value is captured in `event.action`.
+
+A "denied" network connection could fall under different action values: "blocked", "dropped", "quarantined", etc. The `event.action` field captures the action taken as described by the source, and populating `event.type:denied` provides an independent, normalized value.
+
+A single query will return all denied network connections which have been normalized with the same categorization values:
+
+[source,sh]
+----
+event.category:network AND event.type:denied
+----
+
+[float]
+==== Failed attempt to create a user account
+
+User `alice` attempts to add a user account, `bob`, into a directory service, but the action fails:
+
+[source,json]
+----
+{
+  "user": {
+    "name": "alice",
+    "target": {
+      "name": "bob"
+    }
+  },
+  "event": {
+    "kind": "event", <1>
+    "category": [ <2>
+      "iam"
+    ],
+    "type": [ <3>
+      "user",
+      "creation"
+    ],
+    "outcome": "failure" <4>
+  }
+}
+----
+
+<1> Again classifying as an `event`.
+<2> Categorized using `iam` for an event user account activity.
+<3> Both `user` and `creation`
+<4> The creation of a user account was attempted, but it was not successful.
+
+[float]
+==== Informational listing of a file
+
+A utility, such as a file integrity monitoring (FIM) application, takes inventory of a file but does not access or modify the file:
+
+[source,json]
+----
+{
+  "file": {
+    "name": "example.png",
+    "owner": "alice",
+    "path": "/home/alice/example.png",
+    "type": "file"
+  },
+  "event": {
+    "kind": "event", <1>
+    "category": [ <2>
+      "file"
+    ],
+    "type": [ <3>
+      "info"
+    ]
+  }
+}
+----
+
+<1> Classifying as `event`.
+<2> The event is reporting on a `file`.
+<3> The `info` type categorizes purely informational events. The target file here was not accessed or modified.
+
+The source data didn't include any context around the event's outcome, so `event.outcome` should not be populated.
+
+[float]
+=== Security application failed to block a network connection
+
+An intrusion detection system (IDS) attempts to block a connection but fails. The event emitted by the IDS is considered an alert:
+
+[source,json]
+----
+{
+  "source": {
+      "address": "10.42.42.42",
+      "ip": "10.42.42.42",
+      "port": 38842
+    },
+  "destination": {
+      "address": "10.42.42.1",
+      "ip": "10.42.42.1",
+      "port": 443
+  },
+  ...
+  "event": {
+    "kind": "alert", <1>
+    "category": [ <2>
+      "intrusion_detection",
+      "network"
+    ],
+    "type": [ <3>
+      "connection",
+      "denied"
+    ],
+    "outcome": "failure" <4>
+  }
+}
+----
+
+<1> The IDS emitted this event when a detection rule generated an alert. The `event.kind` is set to `alert`.
+<2> With the event emitted from a network IDS device, the event is categorized both as `network` and `intrusion_detection`.
+<3> The alert event is a `connection` that was `denied` by the IDS' configuration.
+<4> The IDS experienced an issue when attempting to deny the connection. Since the action taken by the IDS failed, the outcome is set as `failure`.
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 2ff082fd3f..0b40b191ec 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -22,6 +22,13 @@ NOTE: If your events don't match any of these categorization values, you should
 leave the fields empty. This will ensure you can start populating the fields
 once the appropriate categorization values are published, in a later release.
 
+[float]
+[[ecs-category-usage]]
+=== Categorization Usage
+
+<<ecs-using-the-categorization-fields,Using the categorization fields>> contains examples combining the categorization fields to classify different types of events.
+
+
 [[ecs-allowed-values-event-kind]]
 === ECS Categorization Field: event.kind
 
@@ -517,3 +524,6 @@ Indicates that this event describes a successful result. A common example is `ev
 Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated.
 
 
+
+
+include::field-values-usage.asciidoc[]
\ No newline at end of file
diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2
index 4789c00e09..488a2793e9 100644
--- a/scripts/templates/field_values.j2
+++ b/scripts/templates/field_values.j2
@@ -21,6 +21,13 @@ ECS defines four categorization fields for this purpose, each of which falls und
 NOTE: If your events don't match any of these categorization values, you should
 leave the fields empty. This will ensure you can start populating the fields
 once the appropriate categorization values are published, in a later release.
+
+[float]
+[[ecs-category-usage]]
+=== Categorization Usage
+
+<<ecs-using-the-categorization-fields,Using the categorization fields>> contains examples combining the categorization fields to classify different types of events.
+
 {% for field in fields %}
 [[ecs-allowed-values-{{ field['dashed_name'] }}]]
 === ECS Categorization Field: {{ field['flat_name'] }}
@@ -45,3 +52,5 @@ once the appropriate categorization values are published, in a later release.
 {% endif %}
 {% endfor %}
 {%- endfor %}
+
+include::field-values-usage.asciidoc[]

From 90db3126296b534bcfb860ff7a3e6f4e30e9e346 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 10 Feb 2021 15:28:43 -0600
Subject: [PATCH 75/90] add time_zone, postal_code, and continent_code (#1229)
 (#1258)

---
 CHANGELOG.next.md                             |   1 +
 code/go/ecs/geo.go                            |  11 +
 docs/field-details.asciidoc                   |  50 ++++
 experimental/generated/beats/fields.ecs.yml   | 168 +++++++++++
 experimental/generated/csv/fields.csv         |  18 ++
 experimental/generated/ecs/ecs_flat.yml       | 234 +++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 270 ++++++++++++++++++
 .../generated/elasticsearch/7/template.json   |  72 +++++
 .../elasticsearch/component/client.json       |  12 +
 .../elasticsearch/component/destination.json  |  12 +
 .../elasticsearch/component/host.json         |  12 +
 .../elasticsearch/component/observer.json     |  12 +
 .../elasticsearch/component/server.json       |  12 +
 .../elasticsearch/component/source.json       |  12 +
 generated/beats/fields.ecs.yml                | 168 +++++++++++
 generated/csv/fields.csv                      |  18 ++
 generated/ecs/ecs_flat.yml                    | 234 +++++++++++++++
 generated/ecs/ecs_nested.yml                  | 270 ++++++++++++++++++
 generated/elasticsearch/6/template.json       |  72 +++++
 generated/elasticsearch/7/template.json       |  72 +++++
 generated/elasticsearch/component/client.json |  12 +
 .../elasticsearch/component/destination.json  |  12 +
 generated/elasticsearch/component/host.json   |  12 +
 .../elasticsearch/component/observer.json     |  12 +
 generated/elasticsearch/component/server.json |  12 +
 generated/elasticsearch/component/source.json |  12 +
 schemas/geo.yml                               |  28 ++
 27 files changed, 1830 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index bc78ca8138..0cad5ab971 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -20,6 +20,7 @@ Thanks, you're awesome :-) -->
 * Added `http.request.id`. #1208
 * Added `cloud.service.name`. #1204
 * Added `hash.ssdeep`. #1169
+* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
 
 #### Improvements
 
diff --git a/code/go/ecs/geo.go b/code/go/ecs/geo.go
index 89bfd81704..4033ac1d57 100644
--- a/code/go/ecs/geo.go
+++ b/code/go/ecs/geo.go
@@ -26,6 +26,9 @@ type Geo struct {
 	// Longitude and latitude.
 	Location string `ecs:"location"`
 
+	// Two-letter code representing continent's name.
+	ContinentCode string `ecs:"continent_code"`
+
 	// Name of the continent.
 	ContinentName string `ecs:"continent_name"`
 
@@ -41,9 +44,17 @@ type Geo struct {
 	// Country ISO code.
 	CountryIsoCode string `ecs:"country_iso_code"`
 
+	// Postal code associated with the location.
+	// Values appropriate for this field may also be known as a postcode or ZIP
+	// code and will vary widely from country to country.
+	PostalCode string `ecs:"postal_code"`
+
 	// Region ISO code.
 	RegionIsoCode string `ecs:"region_iso_code"`
 
+	// The time zone of the location, such as IANA time zone name.
+	Timezone string `ecs:"timezone"`
+
 	// User-defined description of a location, at the level of granularity they
 	// care about.
 	// Could be the name of their data centers, the floor number, if this
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index b1d4dbe8be..64379b2aaf 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -2788,6 +2788,22 @@ example: `Montreal`
 
 // ===============================================================
 
+|
+[[field-geo-continent-code]]
+<<field-geo-continent-code, geo.continent_code>>
+
+| Two-letter code representing continent's name.
+
+type: keyword
+
+
+
+example: `NA`
+
+| core
+
+// ===============================================================
+
 |
 [[field-geo-continent-name]]
 <<field-geo-continent-name, geo.continent_name>>
@@ -2872,6 +2888,24 @@ example: `boston-dc`
 
 // ===============================================================
 
+|
+[[field-geo-postal-code]]
+<<field-geo-postal-code, geo.postal_code>>
+
+| Postal code associated with the location.
+
+Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+
+
+example: `94040`
+
+| core
+
+// ===============================================================
+
 |
 [[field-geo-region-iso-code]]
 <<field-geo-region-iso-code, geo.region_iso_code>>
@@ -2904,6 +2938,22 @@ example: `Quebec`
 
 // ===============================================================
 
+|
+[[field-geo-timezone]]
+<<field-geo-timezone, geo.timezone>>
+
+| The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+
+
+example: `America/Argentina/Buenos_Aires`
+
+| core
+
+// ===============================================================
+
 |=====
 
 [discrete]
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 23727e859f..8a88804d62 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -205,6 +205,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -239,6 +246,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -251,6 +268,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
@@ -683,6 +707,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -717,6 +748,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -729,6 +770,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
@@ -2007,6 +2055,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: continent_name
       level: core
       type: keyword
@@ -2041,6 +2096,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: region_iso_code
       level: core
       type: keyword
@@ -2053,6 +2118,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
   - name: group
     title: Group
     group: 2
@@ -2173,6 +2245,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -2207,6 +2286,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -2219,6 +2308,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: hostname
       level: core
       type: wildcard
@@ -2925,6 +3021,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -2959,6 +3062,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -2971,6 +3084,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: hostname
       level: core
       type: keyword
@@ -4183,6 +4303,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -4217,6 +4344,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -4229,6 +4366,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
@@ -4512,6 +4656,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -4546,6 +4697,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -4558,6 +4719,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index d7cded544d..cc2fce2539 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -16,13 +16,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
 1.9.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain.
 1.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
 1.9.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client.
 1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
@@ -71,13 +74,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
 1.9.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain.
 1.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
 1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
 1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
@@ -241,13 +247,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
 1.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
 1.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
 1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
 1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
@@ -332,13 +341,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
 1.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
 1.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
 1.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
 1.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
@@ -484,13 +496,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
 1.9.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain.
 1.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
 1.9.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server.
 1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
@@ -526,13 +541,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
 1.9.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain.
 1.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
 1.9.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source.
 1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 4cab1099ae..2b4dc2772b 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -175,6 +175,18 @@ client.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+client.geo.continent_code:
+  dashed_name: client-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: client.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 client.geo.continent_name:
   dashed_name: client-geo-continent-name
   description: Name of the continent.
@@ -239,6 +251,21 @@ client.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: wildcard
+client.geo.postal_code:
+  dashed_name: client-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: client.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 client.geo.region_iso_code:
   dashed_name: client-geo-region-iso-code
   description: Region ISO code.
@@ -263,6 +290,18 @@ client.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+client.geo.timezone:
+  dashed_name: client-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: client.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 client.ip:
   dashed_name: client-ip
   description: IP address of the client (IPv4 or IPv6).
@@ -825,6 +864,18 @@ destination.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+destination.geo.continent_code:
+  dashed_name: destination-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: destination.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 destination.geo.continent_name:
   dashed_name: destination-geo-continent-name
   description: Name of the continent.
@@ -889,6 +940,21 @@ destination.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: wildcard
+destination.geo.postal_code:
+  dashed_name: destination-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: destination.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 destination.geo.region_iso_code:
   dashed_name: destination-geo-region-iso-code
   description: Region ISO code.
@@ -913,6 +979,18 @@ destination.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+destination.geo.timezone:
+  dashed_name: destination-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: destination.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 destination.ip:
   dashed_name: destination-ip
   description: IP address of the destination (IPv4 or IPv6).
@@ -3326,6 +3404,18 @@ host.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+host.geo.continent_code:
+  dashed_name: host-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: host.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 host.geo.continent_name:
   dashed_name: host-geo-continent-name
   description: Name of the continent.
@@ -3390,6 +3480,21 @@ host.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: wildcard
+host.geo.postal_code:
+  dashed_name: host-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: host.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 host.geo.region_iso_code:
   dashed_name: host-geo-region-iso-code
   description: Region ISO code.
@@ -3414,6 +3519,18 @@ host.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+host.geo.timezone:
+  dashed_name: host-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: host.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 host.hostname:
   dashed_name: host-hostname
   description: 'Hostname of the host.
@@ -4462,6 +4579,18 @@ observer.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+observer.geo.continent_code:
+  dashed_name: observer-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: observer.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 observer.geo.continent_name:
   dashed_name: observer-geo-continent-name
   description: Name of the continent.
@@ -4526,6 +4655,21 @@ observer.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: wildcard
+observer.geo.postal_code:
+  dashed_name: observer-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: observer.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 observer.geo.region_iso_code:
   dashed_name: observer-geo-region-iso-code
   description: Region ISO code.
@@ -4550,6 +4694,18 @@ observer.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+observer.geo.timezone:
+  dashed_name: observer-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: observer.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 observer.hostname:
   dashed_name: observer-hostname
   description: Hostname of the observer.
@@ -6208,6 +6364,18 @@ server.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+server.geo.continent_code:
+  dashed_name: server-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: server.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 server.geo.continent_name:
   dashed_name: server-geo-continent-name
   description: Name of the continent.
@@ -6272,6 +6440,21 @@ server.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: wildcard
+server.geo.postal_code:
+  dashed_name: server-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: server.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 server.geo.region_iso_code:
   dashed_name: server-geo-region-iso-code
   description: Region ISO code.
@@ -6296,6 +6479,18 @@ server.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+server.geo.timezone:
+  dashed_name: server-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: server.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 server.ip:
   dashed_name: server-ip
   description: IP address of the server (IPv4 or IPv6).
@@ -6727,6 +6922,18 @@ source.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+source.geo.continent_code:
+  dashed_name: source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 source.geo.continent_name:
   dashed_name: source-geo-continent-name
   description: Name of the continent.
@@ -6791,6 +6998,21 @@ source.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: wildcard
+source.geo.postal_code:
+  dashed_name: source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 source.geo.region_iso_code:
   dashed_name: source-geo-region-iso-code
   description: Region ISO code.
@@ -6815,6 +7037,18 @@ source.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+source.geo.timezone:
+  dashed_name: source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 source.ip:
   dashed_name: source-ip
   description: IP address of the source (IPv4 or IPv6).
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index ef1e3567d2..878d68757c 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -320,6 +320,18 @@ client:
       original_fieldset: geo
       short: City name.
       type: keyword
+    client.geo.continent_code:
+      dashed_name: client-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: client.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     client.geo.continent_name:
       dashed_name: client-geo-continent-name
       description: Name of the continent.
@@ -384,6 +396,21 @@ client:
       original_fieldset: geo
       short: User-defined description of a location.
       type: wildcard
+    client.geo.postal_code:
+      dashed_name: client-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: client.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     client.geo.region_iso_code:
       dashed_name: client-geo-region-iso-code
       description: Region ISO code.
@@ -408,6 +435,18 @@ client:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    client.geo.timezone:
+      dashed_name: client-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: client.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     client.ip:
       dashed_name: client-ip
       description: IP address of the client (IPv4 or IPv6).
@@ -1135,6 +1174,18 @@ destination:
       original_fieldset: geo
       short: City name.
       type: keyword
+    destination.geo.continent_code:
+      dashed_name: destination-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: destination.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     destination.geo.continent_name:
       dashed_name: destination-geo-continent-name
       description: Name of the continent.
@@ -1199,6 +1250,21 @@ destination:
       original_fieldset: geo
       short: User-defined description of a location.
       type: wildcard
+    destination.geo.postal_code:
+      dashed_name: destination-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: destination.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     destination.geo.region_iso_code:
       dashed_name: destination-geo-region-iso-code
       description: Region ISO code.
@@ -1223,6 +1289,18 @@ destination:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    destination.geo.timezone:
+      dashed_name: destination-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: destination.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     destination.ip:
       dashed_name: destination-ip
       description: IP address of the destination (IPv4 or IPv6).
@@ -3711,6 +3789,17 @@ geo:
       normalize: []
       short: City name.
       type: keyword
+    geo.continent_code:
+      dashed_name: geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      short: Continent code.
+      type: keyword
     geo.continent_name:
       dashed_name: geo-continent-name
       description: Name of the continent.
@@ -3770,6 +3859,20 @@ geo:
       normalize: []
       short: User-defined description of a location.
       type: wildcard
+    geo.postal_code:
+      dashed_name: geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      short: Postal code.
+      type: keyword
     geo.region_iso_code:
       dashed_name: geo-region-iso-code
       description: Region ISO code.
@@ -3792,6 +3895,17 @@ geo:
       normalize: []
       short: Region name.
       type: keyword
+    geo.timezone:
+      dashed_name: geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      short: Time zone.
+      type: keyword
   group: 2
   name: geo
   prefix: geo.
@@ -4026,6 +4140,18 @@ host:
       original_fieldset: geo
       short: City name.
       type: keyword
+    host.geo.continent_code:
+      dashed_name: host-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: host.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     host.geo.continent_name:
       dashed_name: host-geo-continent-name
       description: Name of the continent.
@@ -4090,6 +4216,21 @@ host:
       original_fieldset: geo
       short: User-defined description of a location.
       type: wildcard
+    host.geo.postal_code:
+      dashed_name: host-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: host.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     host.geo.region_iso_code:
       dashed_name: host-geo-region-iso-code
       description: Region ISO code.
@@ -4114,6 +4255,18 @@ host:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    host.geo.timezone:
+      dashed_name: host-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: host.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     host.hostname:
       dashed_name: host-hostname
       description: 'Hostname of the host.
@@ -5280,6 +5433,18 @@ observer:
       original_fieldset: geo
       short: City name.
       type: keyword
+    observer.geo.continent_code:
+      dashed_name: observer-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: observer.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     observer.geo.continent_name:
       dashed_name: observer-geo-continent-name
       description: Name of the continent.
@@ -5344,6 +5509,21 @@ observer:
       original_fieldset: geo
       short: User-defined description of a location.
       type: wildcard
+    observer.geo.postal_code:
+      dashed_name: observer-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: observer.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     observer.geo.region_iso_code:
       dashed_name: observer-geo-region-iso-code
       description: Region ISO code.
@@ -5368,6 +5548,18 @@ observer:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    observer.geo.timezone:
+      dashed_name: observer-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: observer.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     observer.hostname:
       dashed_name: observer-hostname
       description: Hostname of the observer.
@@ -7399,6 +7591,18 @@ server:
       original_fieldset: geo
       short: City name.
       type: keyword
+    server.geo.continent_code:
+      dashed_name: server-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: server.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     server.geo.continent_name:
       dashed_name: server-geo-continent-name
       description: Name of the continent.
@@ -7463,6 +7667,21 @@ server:
       original_fieldset: geo
       short: User-defined description of a location.
       type: wildcard
+    server.geo.postal_code:
+      dashed_name: server-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: server.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     server.geo.region_iso_code:
       dashed_name: server-geo-region-iso-code
       description: Region ISO code.
@@ -7487,6 +7706,18 @@ server:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    server.geo.timezone:
+      dashed_name: server-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: server.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     server.ip:
       dashed_name: server-ip
       description: IP address of the server (IPv4 or IPv6).
@@ -7962,6 +8193,18 @@ source:
       original_fieldset: geo
       short: City name.
       type: keyword
+    source.geo.continent_code:
+      dashed_name: source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     source.geo.continent_name:
       dashed_name: source-geo-continent-name
       description: Name of the continent.
@@ -8026,6 +8269,21 @@ source:
       original_fieldset: geo
       short: User-defined description of a location.
       type: wildcard
+    source.geo.postal_code:
+      dashed_name: source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     source.geo.region_iso_code:
       dashed_name: source-geo-region-iso-code
       description: Region ISO code.
@@ -8050,6 +8308,18 @@ source:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    source.geo.timezone:
+      dashed_name: source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     source.ip:
       dashed_name: source-ip
       description: IP address of the source (IPv4 or IPv6).
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index aebee4c182..451c03c849 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -91,6 +91,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -109,6 +113,10 @@
               "name": {
                 "type": "wildcard"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -116,6 +124,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -362,6 +374,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -380,6 +396,10 @@
               "name": {
                 "type": "wildcard"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -387,6 +407,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1111,6 +1135,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1129,6 +1157,10 @@
               "name": {
                 "type": "wildcard"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1136,6 +1168,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1564,6 +1600,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1582,6 +1622,10 @@
               "name": {
                 "type": "wildcard"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1589,6 +1633,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -2241,6 +2289,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2259,6 +2311,10 @@
               "name": {
                 "type": "wildcard"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2266,6 +2322,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -2436,6 +2496,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2454,6 +2518,10 @@
               "name": {
                 "type": "wildcard"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2461,6 +2529,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json
index bb1003070f..df7ef337a3 100644
--- a/experimental/generated/elasticsearch/component/client.json
+++ b/experimental/generated/elasticsearch/component/client.json
@@ -44,6 +44,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -62,6 +66,10 @@
                 "name": {
                   "type": "wildcard"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -69,6 +77,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json
index be3448e658..cff46d3ea5 100644
--- a/experimental/generated/elasticsearch/component/destination.json
+++ b/experimental/generated/elasticsearch/component/destination.json
@@ -44,6 +44,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -62,6 +66,10 @@
                 "name": {
                   "type": "wildcard"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -69,6 +77,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json
index f5645b0920..2d503d0b39 100644
--- a/experimental/generated/elasticsearch/component/host.json
+++ b/experimental/generated/elasticsearch/component/host.json
@@ -48,6 +48,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -66,6 +70,10 @@
                 "name": {
                   "type": "wildcard"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -73,6 +81,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json
index bc53052962..6a36b4bbaf 100644
--- a/experimental/generated/elasticsearch/component/observer.json
+++ b/experimental/generated/elasticsearch/component/observer.json
@@ -51,6 +51,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -69,6 +73,10 @@
                 "name": {
                   "type": "wildcard"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -76,6 +84,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json
index 16cd5781f8..6bb1f55c3c 100644
--- a/experimental/generated/elasticsearch/component/server.json
+++ b/experimental/generated/elasticsearch/component/server.json
@@ -44,6 +44,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -62,6 +66,10 @@
                 "name": {
                   "type": "wildcard"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -69,6 +77,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json
index 43edaf2f09..9832312beb 100644
--- a/experimental/generated/elasticsearch/component/source.json
+++ b/experimental/generated/elasticsearch/component/source.json
@@ -44,6 +44,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -62,6 +66,10 @@
                 "name": {
                   "type": "wildcard"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -69,6 +77,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1c6cea3a9a..66a0122ae4 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -209,6 +209,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -244,6 +251,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -256,6 +273,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
@@ -642,6 +666,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -677,6 +708,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -689,6 +730,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
@@ -1983,6 +2031,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: continent_name
       level: core
       type: keyword
@@ -2018,6 +2073,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: region_iso_code
       level: core
       type: keyword
@@ -2030,6 +2095,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
   - name: group
     title: Group
     group: 2
@@ -2128,6 +2200,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -2163,6 +2242,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -2175,6 +2264,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: hostname
       level: core
       type: keyword
@@ -2868,6 +2964,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -2903,6 +3006,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -2915,6 +3028,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: hostname
       level: core
       type: keyword
@@ -4152,6 +4272,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -4187,6 +4314,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -4199,6 +4336,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
@@ -4488,6 +4632,13 @@
       ignore_above: 1024
       description: City name.
       example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
     - name: geo.continent_name
       level: core
       type: keyword
@@ -4523,6 +4674,16 @@
 
         Not typically used in automated geolocation.'
       example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
     - name: geo.region_iso_code
       level: core
       type: keyword
@@ -4535,6 +4696,13 @@
       ignore_above: 1024
       description: Region name.
       example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
     - name: ip
       level: core
       type: ip
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index a71bdc558e..87ddec0d0d 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -16,13 +16,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
 1.9.0-dev,true,client,client.domain,keyword,core,,,Client domain.
 1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
 1.9.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
 1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
@@ -68,13 +71,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
 1.9.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
 1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
 1.9.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
 1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
@@ -235,13 +241,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
 1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
 1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
 1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
@@ -322,13 +331,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
 1.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
 1.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
 1.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
 1.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
@@ -474,13 +486,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
 1.9.0-dev,true,server,server.domain,keyword,core,,,Server domain.
 1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
 1.9.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
 1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
@@ -516,13 +531,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
 1.9.0-dev,true,source,source.domain,keyword,core,,,Source domain.
 1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
 1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
 1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
 1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
 1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
 1.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
 1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
 1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
 1.9.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
 1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 1af94d22d3..44aa7b170f 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -178,6 +178,18 @@ client.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+client.geo.continent_code:
+  dashed_name: client-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: client.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 client.geo.continent_name:
   dashed_name: client-geo-continent-name
   description: Name of the continent.
@@ -243,6 +255,21 @@ client.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: keyword
+client.geo.postal_code:
+  dashed_name: client-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: client.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 client.geo.region_iso_code:
   dashed_name: client-geo-region-iso-code
   description: Region ISO code.
@@ -267,6 +294,18 @@ client.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+client.geo.timezone:
+  dashed_name: client-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: client.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 client.ip:
   dashed_name: client-ip
   description: IP address of the client (IPv4 or IPv6).
@@ -789,6 +828,18 @@ destination.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+destination.geo.continent_code:
+  dashed_name: destination-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: destination.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 destination.geo.continent_name:
   dashed_name: destination-geo-continent-name
   description: Name of the continent.
@@ -854,6 +905,21 @@ destination.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: keyword
+destination.geo.postal_code:
+  dashed_name: destination-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: destination.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 destination.geo.region_iso_code:
   dashed_name: destination-geo-region-iso-code
   description: Region ISO code.
@@ -878,6 +944,18 @@ destination.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+destination.geo.timezone:
+  dashed_name: destination-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: destination.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 destination.ip:
   dashed_name: destination-ip
   description: IP address of the destination (IPv4 or IPv6).
@@ -3274,6 +3352,18 @@ host.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+host.geo.continent_code:
+  dashed_name: host-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: host.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 host.geo.continent_name:
   dashed_name: host-geo-continent-name
   description: Name of the continent.
@@ -3339,6 +3429,21 @@ host.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: keyword
+host.geo.postal_code:
+  dashed_name: host-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: host.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 host.geo.region_iso_code:
   dashed_name: host-geo-region-iso-code
   description: Region ISO code.
@@ -3363,6 +3468,18 @@ host.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+host.geo.timezone:
+  dashed_name: host-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: host.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 host.hostname:
   dashed_name: host-hostname
   description: 'Hostname of the host.
@@ -4382,6 +4499,18 @@ observer.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+observer.geo.continent_code:
+  dashed_name: observer-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: observer.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 observer.geo.continent_name:
   dashed_name: observer-geo-continent-name
   description: Name of the continent.
@@ -4447,6 +4576,21 @@ observer.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: keyword
+observer.geo.postal_code:
+  dashed_name: observer-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: observer.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 observer.geo.region_iso_code:
   dashed_name: observer-geo-region-iso-code
   description: Region ISO code.
@@ -4471,6 +4615,18 @@ observer.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+observer.geo.timezone:
+  dashed_name: observer-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: observer.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 observer.hostname:
   dashed_name: observer-hostname
   description: Hostname of the observer.
@@ -6151,6 +6307,18 @@ server.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+server.geo.continent_code:
+  dashed_name: server-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: server.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 server.geo.continent_name:
   dashed_name: server-geo-continent-name
   description: Name of the continent.
@@ -6216,6 +6384,21 @@ server.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: keyword
+server.geo.postal_code:
+  dashed_name: server-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: server.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 server.geo.region_iso_code:
   dashed_name: server-geo-region-iso-code
   description: Region ISO code.
@@ -6240,6 +6423,18 @@ server.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+server.geo.timezone:
+  dashed_name: server-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: server.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 server.ip:
   dashed_name: server-ip
   description: IP address of the server (IPv4 or IPv6).
@@ -6677,6 +6872,18 @@ source.geo.city_name:
   original_fieldset: geo
   short: City name.
   type: keyword
+source.geo.continent_code:
+  dashed_name: source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
 source.geo.continent_name:
   dashed_name: source-geo-continent-name
   description: Name of the continent.
@@ -6742,6 +6949,21 @@ source.geo.name:
   original_fieldset: geo
   short: User-defined description of a location.
   type: keyword
+source.geo.postal_code:
+  dashed_name: source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
 source.geo.region_iso_code:
   dashed_name: source-geo-region-iso-code
   description: Region ISO code.
@@ -6766,6 +6988,18 @@ source.geo.region_name:
   original_fieldset: geo
   short: Region name.
   type: keyword
+source.geo.timezone:
+  dashed_name: source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
 source.ip:
   dashed_name: source-ip
   description: IP address of the source (IPv4 or IPv6).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index a3934fd463..d550ec8cc6 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -324,6 +324,18 @@ client:
       original_fieldset: geo
       short: City name.
       type: keyword
+    client.geo.continent_code:
+      dashed_name: client-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: client.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     client.geo.continent_name:
       dashed_name: client-geo-continent-name
       description: Name of the continent.
@@ -389,6 +401,21 @@ client:
       original_fieldset: geo
       short: User-defined description of a location.
       type: keyword
+    client.geo.postal_code:
+      dashed_name: client-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: client.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     client.geo.region_iso_code:
       dashed_name: client-geo-region-iso-code
       description: Region ISO code.
@@ -413,6 +440,18 @@ client:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    client.geo.timezone:
+      dashed_name: client-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: client.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     client.ip:
       dashed_name: client-ip
       description: IP address of the client (IPv4 or IPv6).
@@ -1077,6 +1116,18 @@ destination:
       original_fieldset: geo
       short: City name.
       type: keyword
+    destination.geo.continent_code:
+      dashed_name: destination-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: destination.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     destination.geo.continent_name:
       dashed_name: destination-geo-continent-name
       description: Name of the continent.
@@ -1142,6 +1193,21 @@ destination:
       original_fieldset: geo
       short: User-defined description of a location.
       type: keyword
+    destination.geo.postal_code:
+      dashed_name: destination-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: destination.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     destination.geo.region_iso_code:
       dashed_name: destination-geo-region-iso-code
       description: Region ISO code.
@@ -1166,6 +1232,18 @@ destination:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    destination.geo.timezone:
+      dashed_name: destination-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: destination.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     destination.ip:
       dashed_name: destination-ip
       description: IP address of the destination (IPv4 or IPv6).
@@ -3671,6 +3749,17 @@ geo:
       normalize: []
       short: City name.
       type: keyword
+    geo.continent_code:
+      dashed_name: geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      short: Continent code.
+      type: keyword
     geo.continent_name:
       dashed_name: geo-continent-name
       description: Name of the continent.
@@ -3731,6 +3820,20 @@ geo:
       normalize: []
       short: User-defined description of a location.
       type: keyword
+    geo.postal_code:
+      dashed_name: geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      short: Postal code.
+      type: keyword
     geo.region_iso_code:
       dashed_name: geo-region-iso-code
       description: Region ISO code.
@@ -3753,6 +3856,17 @@ geo:
       normalize: []
       short: Region name.
       type: keyword
+    geo.timezone:
+      dashed_name: geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      short: Time zone.
+      type: keyword
   group: 2
   name: geo
   prefix: geo.
@@ -3953,6 +4067,18 @@ host:
       original_fieldset: geo
       short: City name.
       type: keyword
+    host.geo.continent_code:
+      dashed_name: host-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: host.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     host.geo.continent_name:
       dashed_name: host-geo-continent-name
       description: Name of the continent.
@@ -4018,6 +4144,21 @@ host:
       original_fieldset: geo
       short: User-defined description of a location.
       type: keyword
+    host.geo.postal_code:
+      dashed_name: host-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: host.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     host.geo.region_iso_code:
       dashed_name: host-geo-region-iso-code
       description: Region ISO code.
@@ -4042,6 +4183,18 @@ host:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    host.geo.timezone:
+      dashed_name: host-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: host.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     host.hostname:
       dashed_name: host-hostname
       description: 'Hostname of the host.
@@ -5179,6 +5332,18 @@ observer:
       original_fieldset: geo
       short: City name.
       type: keyword
+    observer.geo.continent_code:
+      dashed_name: observer-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: observer.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     observer.geo.continent_name:
       dashed_name: observer-geo-continent-name
       description: Name of the continent.
@@ -5244,6 +5409,21 @@ observer:
       original_fieldset: geo
       short: User-defined description of a location.
       type: keyword
+    observer.geo.postal_code:
+      dashed_name: observer-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: observer.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     observer.geo.region_iso_code:
       dashed_name: observer-geo-region-iso-code
       description: Region ISO code.
@@ -5268,6 +5448,18 @@ observer:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    observer.geo.timezone:
+      dashed_name: observer-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: observer.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     observer.hostname:
       dashed_name: observer-hostname
       description: Hostname of the observer.
@@ -7324,6 +7516,18 @@ server:
       original_fieldset: geo
       short: City name.
       type: keyword
+    server.geo.continent_code:
+      dashed_name: server-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: server.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     server.geo.continent_name:
       dashed_name: server-geo-continent-name
       description: Name of the continent.
@@ -7389,6 +7593,21 @@ server:
       original_fieldset: geo
       short: User-defined description of a location.
       type: keyword
+    server.geo.postal_code:
+      dashed_name: server-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: server.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     server.geo.region_iso_code:
       dashed_name: server-geo-region-iso-code
       description: Region ISO code.
@@ -7413,6 +7632,18 @@ server:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    server.geo.timezone:
+      dashed_name: server-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: server.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     server.ip:
       dashed_name: server-ip
       description: IP address of the server (IPv4 or IPv6).
@@ -7894,6 +8125,18 @@ source:
       original_fieldset: geo
       short: City name.
       type: keyword
+    source.geo.continent_code:
+      dashed_name: source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
     source.geo.continent_name:
       dashed_name: source-geo-continent-name
       description: Name of the continent.
@@ -7959,6 +8202,21 @@ source:
       original_fieldset: geo
       short: User-defined description of a location.
       type: keyword
+    source.geo.postal_code:
+      dashed_name: source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
     source.geo.region_iso_code:
       dashed_name: source-geo-region-iso-code
       description: Region ISO code.
@@ -7983,6 +8241,18 @@ source:
       original_fieldset: geo
       short: Region name.
       type: keyword
+    source.geo.timezone:
+      dashed_name: source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
     source.ip:
       dashed_name: source-ip
       description: IP address of the source (IPv4 or IPv6).
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 5d91ba5198..15708392e3 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -95,6 +95,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -114,6 +118,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -121,6 +129,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -360,6 +372,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -379,6 +395,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -386,6 +406,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -1101,6 +1125,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1120,6 +1148,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1127,6 +1159,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -1542,6 +1578,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1561,6 +1601,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1568,6 +1612,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -2242,6 +2290,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -2261,6 +2313,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -2268,6 +2324,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
@@ -2444,6 +2504,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -2463,6 +2527,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -2470,6 +2538,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 04000cc76a..083546847a 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -94,6 +94,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -113,6 +117,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -120,6 +128,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -359,6 +371,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -378,6 +394,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -385,6 +405,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1100,6 +1124,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1119,6 +1147,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1126,6 +1158,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -1541,6 +1577,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1560,6 +1600,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1567,6 +1611,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -2241,6 +2289,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2260,6 +2312,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2267,6 +2323,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
@@ -2443,6 +2503,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "continent_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2462,6 +2526,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "region_iso_code": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2469,6 +2537,10 @@
               "region_name": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
               }
             }
           },
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
index 4813913258..59e1c4fac5 100644
--- a/generated/elasticsearch/component/client.json
+++ b/generated/elasticsearch/component/client.json
@@ -46,6 +46,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -65,6 +69,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -72,6 +80,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
index c73b493e86..d7babcf058 100644
--- a/generated/elasticsearch/component/destination.json
+++ b/generated/elasticsearch/component/destination.json
@@ -46,6 +46,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -65,6 +69,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -72,6 +80,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index 3d0b3a8cf8..e371893cf8 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -22,6 +22,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -41,6 +45,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -48,6 +56,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
index 049625241b..d4be55d415 100644
--- a/generated/elasticsearch/component/observer.json
+++ b/generated/elasticsearch/component/observer.json
@@ -51,6 +51,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -70,6 +74,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -77,6 +85,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
index bdd746f660..d824559d6c 100644
--- a/generated/elasticsearch/component/server.json
+++ b/generated/elasticsearch/component/server.json
@@ -46,6 +46,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -65,6 +69,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -72,6 +80,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
index cb236d53f0..d6b6bd2048 100644
--- a/generated/elasticsearch/component/source.json
+++ b/generated/elasticsearch/component/source.json
@@ -46,6 +46,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "continent_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -65,6 +69,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "region_iso_code": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -72,6 +80,10 @@
                 "region_name": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
               }
             },
diff --git a/schemas/geo.yml b/schemas/geo.yml
index 347d60829e..fef496097b 100644
--- a/schemas/geo.yml
+++ b/schemas/geo.yml
@@ -27,6 +27,14 @@
         Longitude and latitude.
       example: '{ "lon": -73.614830, "lat": 45.505918 }'
 
+    - name: continent_code
+      level: core
+      type: keyword
+      short: Continent code.
+      description: >
+        Two-letter code representing continent's name.
+      example: NA
+
     - name: continent_name
       level: core
       type: keyword
@@ -62,6 +70,18 @@
         Country ISO code.
       example: CA
 
+    - name: postal_code
+      level: core
+      type: keyword
+      short: Postal code.
+      description: >
+         Postal code associated with the location.
+
+         Values appropriate for this field may also be known
+         as a postcode or ZIP code and will vary widely from
+         country to country.
+      example: 94040
+
     - name: region_iso_code
       level: core
       type: keyword
@@ -69,6 +89,14 @@
         Region ISO code.
       example: CA-QC
 
+    - name: timezone
+      level: core
+      type: keyword
+      short: Time zone.
+      description: >
+        The time zone of the location, such as IANA time zone name.
+      example: "America/Argentina/Buenos_Aires"
+
     - name: name
       level: extended
       type: keyword

From 9006c8d201de6ae3f86a10d1cc3e0d01b1ed13c7 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 11 Feb 2021 12:05:04 -0600
Subject: [PATCH 76/90] Specify MAC address format (#456) (#1260)

Co-authored-by: Robin Schneider <36660054+ypid-geberit@users.noreply.github.com>
---
 CHANGELOG.next.md                           |  2 +
 code/go/ecs/client.go                       |  4 ++
 code/go/ecs/destination.go                  |  4 ++
 code/go/ecs/host.go                         |  6 +-
 code/go/ecs/observer.go                     | 18 +++---
 code/go/ecs/server.go                       |  4 ++
 code/go/ecs/source.go                       |  4 ++
 docs/field-details.asciidoc                 | 36 +++++++----
 experimental/generated/beats/fields.ecs.yml | 64 ++++++++++++++-----
 experimental/generated/csv/fields.csv       | 12 ++--
 experimental/generated/ecs/ecs_flat.yml     | 59 +++++++++++++-----
 experimental/generated/ecs/ecs_nested.yml   | 68 ++++++++++++++++-----
 generated/beats/fields.ecs.yml              | 64 ++++++++++++++-----
 generated/csv/fields.csv                    | 12 ++--
 generated/ecs/ecs_flat.yml                  | 59 +++++++++++++-----
 generated/ecs/ecs_nested.yml                | 68 ++++++++++++++++-----
 schemas/client.yml                          |  7 +++
 schemas/destination.yml                     |  7 +++
 schemas/host.yml                            |  9 ++-
 schemas/observer.yml                        | 23 ++++---
 schemas/server.yml                          |  7 +++
 schemas/source.yml                          |  7 +++
 22 files changed, 413 insertions(+), 131 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 0cad5ab971..2d597ed044 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -24,6 +24,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Include formatting guidance and examples for MAC address fields. #456
+
 #### Deprecated
 
 
diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go
index 9c6336d4bf..0942961b91 100644
--- a/code/go/ecs/client.go
+++ b/code/go/ecs/client.go
@@ -47,6 +47,10 @@ type Client struct {
 	Port int64 `ecs:"port"`
 
 	// MAC address of the client.
+	// The notation format from RFC 7042 is suggested: Each octet (that is,
+	// 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
+	// the value of the octet as an unsigned integer. Successive octets are
+	// separated by a hyphen.
 	MAC string `ecs:"mac"`
 
 	// Client domain.
diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go
index 1985e8720b..0d53a18d4b 100644
--- a/code/go/ecs/destination.go
+++ b/code/go/ecs/destination.go
@@ -43,6 +43,10 @@ type Destination struct {
 	Port int64 `ecs:"port"`
 
 	// MAC address of the destination.
+	// The notation format from RFC 7042 is suggested: Each octet (that is,
+	// 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
+	// the value of the octet as an unsigned integer. Successive octets are
+	// separated by a hyphen.
 	MAC string `ecs:"mac"`
 
 	// Destination domain.
diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go
index 1d66d78832..f3afb6b871 100644
--- a/code/go/ecs/host.go
+++ b/code/go/ecs/host.go
@@ -44,7 +44,11 @@ type Host struct {
 	// Host ip addresses.
 	IP string `ecs:"ip"`
 
-	// Host mac addresses.
+	// Host MAC addresses.
+	// The notation format from RFC 7042 is suggested: Each octet (that is,
+	// 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
+	// the value of the octet as an unsigned integer. Successive octets are
+	// separated by a hyphen.
 	MAC string `ecs:"mac"`
 
 	// Type of host.
diff --git a/code/go/ecs/observer.go b/code/go/ecs/observer.go
index a7459aa11a..84eb2d0545 100644
--- a/code/go/ecs/observer.go
+++ b/code/go/ecs/observer.go
@@ -32,7 +32,11 @@ package ecs
 // and ETL components used in processing events or metrics are not considered
 // observers in ECS.
 type Observer struct {
-	// MAC addresses of the observer
+	// MAC addresses of the observer.
+	// The notation format from RFC 7042 is suggested: Each octet (that is,
+	// 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
+	// the value of the octet as an unsigned integer. Successive octets are
+	// separated by a hyphen.
 	MAC string `ecs:"mac"`
 
 	// IP addresses of the observer.
@@ -67,24 +71,24 @@ type Observer struct {
 	Type string `ecs:"type"`
 
 	// Observer.ingress holds information like interface number and name, vlan,
-	// and zone information to  classify ingress traffic.  Single armed
-	// monitoring such as a network sensor on a span port should  only use
+	// and zone information to classify ingress traffic.  Single armed
+	// monitoring such as a network sensor on a span port should only use
 	// observer.ingress to categorize traffic.
 	Ingress map[string]interface{} `ecs:"ingress"`
 
 	// Network zone of incoming traffic as reported by the observer to
-	// categorize the source area of ingress  traffic. e.g. internal, External,
+	// categorize the source area of ingress traffic. e.g. internal, External,
 	// DMZ, HR, Legal, etc.
 	IngressZone string `ecs:"ingress.zone"`
 
 	// Observer.egress holds information like interface number and name, vlan,
-	// and zone information to  classify egress traffic.  Single armed
-	// monitoring such as a network sensor on a span port should  only use
+	// and zone information to classify egress traffic.  Single armed
+	// monitoring such as a network sensor on a span port should only use
 	// observer.ingress to categorize traffic.
 	Egress map[string]interface{} `ecs:"egress"`
 
 	// Network zone of outbound traffic as reported by the observer to
-	// categorize the destination area of egress  traffic, e.g. Internal,
+	// categorize the destination area of egress traffic, e.g. Internal,
 	// External, DMZ, HR, Legal, etc.
 	EgressZone string `ecs:"egress.zone"`
 }
diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go
index bc395a115c..dfd43b0f0a 100644
--- a/code/go/ecs/server.go
+++ b/code/go/ecs/server.go
@@ -47,6 +47,10 @@ type Server struct {
 	Port int64 `ecs:"port"`
 
 	// MAC address of the server.
+	// The notation format from RFC 7042 is suggested: Each octet (that is,
+	// 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
+	// the value of the octet as an unsigned integer. Successive octets are
+	// separated by a hyphen.
 	MAC string `ecs:"mac"`
 
 	// Server domain.
diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go
index 3e4becbbbd..d407ee5d20 100644
--- a/code/go/ecs/source.go
+++ b/code/go/ecs/source.go
@@ -43,6 +43,10 @@ type Source struct {
 	Port int64 `ecs:"port"`
 
 	// MAC address of the source.
+	// The notation format from RFC 7042 is suggested: Each octet (that is,
+	// 8-bit byte) is represented by two [uppercase] hexadecimal digits giving
+	// the value of the octet as an unsigned integer. Successive octets are
+	// separated by a hyphen.
 	MAC string `ecs:"mac"`
 
 	// Source domain.
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 64379b2aaf..12cfbc5870 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -375,11 +375,13 @@ type: ip
 
 | MAC address of the client.
 
-type: keyword
+The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
 
+type: keyword
 
 
 
+example: `00-00-5E-00-53-23`
 
 | core
 
@@ -1067,11 +1069,13 @@ type: ip
 
 | MAC address of the destination.
 
-type: keyword
+The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
 
+type: keyword
 
 
 
+example: `00-00-5E-00-53-23`
 
 | core
 
@@ -3263,7 +3267,9 @@ Note: this field should contain an array of values.
 [[field-host-mac]]
 <<field-host-mac, host.mac>>
 
-| Host mac addresses.
+| Host MAC addresses.
+
+The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
 
 type: keyword
 
@@ -3272,7 +3278,7 @@ Note: this field should contain an array of values.
 
 
 
-
+example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]`
 
 | core
 
@@ -4238,7 +4244,7 @@ This could be a custom hardware appliance or a server that has been configured t
 [[field-observer-egress]]
 <<field-observer-egress, observer.egress>>
 
-| Observer.egress holds information like interface number and name, vlan, and zone information to  classify egress traffic.  Single armed monitoring such as a network sensor on a span port should  only use observer.ingress to categorize traffic.
+| Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
 
 type: object
 
@@ -4254,7 +4260,7 @@ type: object
 [[field-observer-egress-zone]]
 <<field-observer-egress-zone, observer.egress.zone>>
 
-| Network zone of outbound traffic as reported by the observer to categorize the destination area of egress  traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+| Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
 
 type: keyword
 
@@ -4286,7 +4292,7 @@ type: keyword
 [[field-observer-ingress]]
 <<field-observer-ingress, observer.ingress>>
 
-| Observer.ingress holds information like interface number and name, vlan, and zone information to  classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should  only use observer.ingress to categorize traffic.
+| Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
 
 type: object
 
@@ -4302,7 +4308,7 @@ type: object
 [[field-observer-ingress-zone]]
 <<field-observer-ingress-zone, observer.ingress.zone>>
 
-| Network zone of incoming traffic as reported by the observer to categorize the source area of ingress  traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+| Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
 
 type: keyword
 
@@ -4337,7 +4343,9 @@ Note: this field should contain an array of values.
 [[field-observer-mac]]
 <<field-observer-mac, observer.mac>>
 
-| MAC addresses of the observer
+| MAC addresses of the observer.
+
+The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
 
 type: keyword
 
@@ -4346,7 +4354,7 @@ Note: this field should contain an array of values.
 
 
 
-
+example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]`
 
 | core
 
@@ -5965,11 +5973,13 @@ type: ip
 
 | MAC address of the server.
 
-type: keyword
+The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
 
+type: keyword
 
 
 
+example: `00-00-5E-00-53-23`
 
 | core
 
@@ -6376,11 +6386,13 @@ type: ip
 
 | MAC address of the source.
 
-type: keyword
+The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
 
+type: keyword
 
 
 
+example: `00-00-5E-00-53-23`
 
 | core
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 8a88804d62..841d63b442 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -283,7 +283,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the client.
+      description: 'MAC address of the client.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
@@ -785,7 +791,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the destination.
+      description: 'MAC address of the destination.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
@@ -2338,7 +2350,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: Host mac addresses.
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
     - name: name
       level: core
       type: keyword
@@ -2965,9 +2983,9 @@
       level: extended
       type: object
       description: Observer.egress holds information like interface number and name,
-        vlan, and zone information to  classify egress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify egress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       default_field: false
     - name: egress.interface.alias
       level: extended
@@ -3011,7 +3029,7 @@
       type: keyword
       ignore_above: 1024
       description: Network zone of outbound traffic as reported by the observer to
-        categorize the destination area of egress  traffic, e.g. Internal, External,
+        categorize the destination area of egress traffic, e.g. Internal, External,
         DMZ, HR, Legal, etc.
       example: Public_Internet
       default_field: false
@@ -3100,9 +3118,9 @@
       level: extended
       type: object
       description: Observer.ingress holds information like interface number and name,
-        vlan, and zone information to  classify ingress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify ingress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       default_field: false
     - name: ingress.interface.alias
       level: extended
@@ -3146,7 +3164,7 @@
       type: keyword
       ignore_above: 1024
       description: Network zone of incoming traffic as reported by the observer to
-        categorize the source area of ingress  traffic. e.g. internal, External, DMZ,
+        categorize the source area of ingress traffic. e.g. internal, External, DMZ,
         HR, Legal, etc.
       example: DMZ
       default_field: false
@@ -3158,7 +3176,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC addresses of the observer
+      description: 'MAC addresses of the observer.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
     - name: name
       level: extended
       type: keyword
@@ -4381,7 +4405,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the server.
+      description: 'MAC address of the server.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
@@ -4734,7 +4764,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the source.
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index cc2fce2539..2ab59c260c 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -27,7 +27,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-1.9.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.9.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
 1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
 1.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
 1.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
@@ -85,7 +85,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
 1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
 1.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
 1.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
@@ -260,7 +260,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
 1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
 1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.9.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.9.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
 1.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
 1.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 1.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
@@ -360,7 +360,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
 1.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
 1.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
 1.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
 1.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 1.9.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -507,7 +507,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-1.9.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.9.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
 1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
 1.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
 1.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
@@ -552,7 +552,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-1.9.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.9.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
 1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
 1.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
 1.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 2b4dc2772b..ba35594e18 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -313,7 +313,12 @@ client.ip:
   type: ip
 client.mac:
   dashed_name: client-mac
-  description: MAC address of the client.
+  description: 'MAC address of the client.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: client.mac
   ignore_above: 1024
   level: core
@@ -1002,7 +1007,12 @@ destination.ip:
   type: ip
 destination.mac:
   dashed_name: destination-mac
-  description: MAC address of the destination.
+  description: 'MAC address of the destination.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: destination.mac
   ignore_above: 1024
   level: core
@@ -3568,14 +3578,19 @@ host.ip:
   type: ip
 host.mac:
   dashed_name: host-mac
-  description: Host mac addresses.
+  description: 'Host MAC addresses.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
   flat_name: host.mac
   ignore_above: 1024
   level: core
   name: mac
   normalize:
   - array
-  short: Host mac addresses.
+  short: Host MAC addresses.
   type: keyword
 host.name:
   dashed_name: host-name
@@ -4484,8 +4499,8 @@ network.vlan.name:
 observer.egress:
   dashed_name: observer-egress
   description: Observer.egress holds information like interface number and name, vlan,
-    and zone information to  classify egress traffic.  Single armed monitoring such
-    as a network sensor on a span port should  only use observer.ingress to categorize
+    and zone information to classify egress traffic.  Single armed monitoring such
+    as a network sensor on a span port should only use observer.ingress to categorize
     traffic.
   flat_name: observer.egress
   level: extended
@@ -4557,7 +4572,7 @@ observer.egress.vlan.name:
 observer.egress.zone:
   dashed_name: observer-egress-zone
   description: Network zone of outbound traffic as reported by the observer to categorize
-    the destination area of egress  traffic, e.g. Internal, External, DMZ, HR, Legal,
+    the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal,
     etc.
   example: Public_Internet
   flat_name: observer.egress.zone
@@ -4719,8 +4734,8 @@ observer.hostname:
 observer.ingress:
   dashed_name: observer-ingress
   description: Observer.ingress holds information like interface number and name,
-    vlan, and zone information to  classify ingress traffic.  Single armed monitoring
-    such as a network sensor on a span port should  only use observer.ingress to categorize
+    vlan, and zone information to classify ingress traffic.  Single armed monitoring
+    such as a network sensor on a span port should only use observer.ingress to categorize
     traffic.
   flat_name: observer.ingress
   level: extended
@@ -4792,8 +4807,7 @@ observer.ingress.vlan.name:
 observer.ingress.zone:
   dashed_name: observer-ingress-zone
   description: Network zone of incoming traffic as reported by the observer to categorize
-    the source area of ingress  traffic. e.g. internal, External, DMZ, HR, Legal,
-    etc.
+    the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
   example: DMZ
   flat_name: observer.ingress.zone
   ignore_above: 1024
@@ -4814,14 +4828,19 @@ observer.ip:
   type: ip
 observer.mac:
   dashed_name: observer-mac
-  description: MAC addresses of the observer
+  description: 'MAC addresses of the observer.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
   flat_name: observer.mac
   ignore_above: 1024
   level: core
   name: mac
   normalize:
   - array
-  short: MAC addresses of the observer
+  short: MAC addresses of the observer.
   type: keyword
 observer.name:
   dashed_name: observer-name
@@ -6502,7 +6521,12 @@ server.ip:
   type: ip
 server.mac:
   dashed_name: server-mac
-  description: MAC address of the server.
+  description: 'MAC address of the server.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: server.mac
   ignore_above: 1024
   level: core
@@ -7060,7 +7084,12 @@ source.ip:
   type: ip
 source.mac:
   dashed_name: source-mac
-  description: MAC address of the source.
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: source.mac
   ignore_above: 1024
   level: core
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 878d68757c..ff10e027f4 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -458,7 +458,13 @@ client:
       type: ip
     client.mac:
       dashed_name: client-mac
-      description: MAC address of the client.
+      description: 'MAC address of the client.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: client.mac
       ignore_above: 1024
       level: core
@@ -1312,7 +1318,13 @@ destination:
       type: ip
     destination.mac:
       dashed_name: destination-mac
-      description: MAC address of the destination.
+      description: 'MAC address of the destination.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: destination.mac
       ignore_above: 1024
       level: core
@@ -4304,14 +4316,20 @@ host:
       type: ip
     host.mac:
       dashed_name: host-mac
-      description: Host mac addresses.
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
       flat_name: host.mac
       ignore_above: 1024
       level: core
       name: mac
       normalize:
       - array
-      short: Host mac addresses.
+      short: Host MAC addresses.
       type: keyword
     host.name:
       dashed_name: host-name
@@ -5337,9 +5355,9 @@ observer:
     observer.egress:
       dashed_name: observer-egress
       description: Observer.egress holds information like interface number and name,
-        vlan, and zone information to  classify egress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify egress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       flat_name: observer.egress
       level: extended
       name: egress
@@ -5411,7 +5429,7 @@ observer:
     observer.egress.zone:
       dashed_name: observer-egress-zone
       description: Network zone of outbound traffic as reported by the observer to
-        categorize the destination area of egress  traffic, e.g. Internal, External,
+        categorize the destination area of egress traffic, e.g. Internal, External,
         DMZ, HR, Legal, etc.
       example: Public_Internet
       flat_name: observer.egress.zone
@@ -5573,9 +5591,9 @@ observer:
     observer.ingress:
       dashed_name: observer-ingress
       description: Observer.ingress holds information like interface number and name,
-        vlan, and zone information to  classify ingress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify ingress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       flat_name: observer.ingress
       level: extended
       name: ingress
@@ -5647,7 +5665,7 @@ observer:
     observer.ingress.zone:
       dashed_name: observer-ingress-zone
       description: Network zone of incoming traffic as reported by the observer to
-        categorize the source area of ingress  traffic. e.g. internal, External, DMZ,
+        categorize the source area of ingress traffic. e.g. internal, External, DMZ,
         HR, Legal, etc.
       example: DMZ
       flat_name: observer.ingress.zone
@@ -5669,14 +5687,20 @@ observer:
       type: ip
     observer.mac:
       dashed_name: observer-mac
-      description: MAC addresses of the observer
+      description: 'MAC addresses of the observer.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
       flat_name: observer.mac
       ignore_above: 1024
       level: core
       name: mac
       normalize:
       - array
-      short: MAC addresses of the observer
+      short: MAC addresses of the observer.
       type: keyword
     observer.name:
       dashed_name: observer-name
@@ -7729,7 +7753,13 @@ server:
       type: ip
     server.mac:
       dashed_name: server-mac
-      description: MAC address of the server.
+      description: 'MAC address of the server.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: server.mac
       ignore_above: 1024
       level: core
@@ -8331,7 +8361,13 @@ source:
       type: ip
     source.mac:
       dashed_name: source-mac
-      description: MAC address of the source.
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: source.mac
       ignore_above: 1024
       level: core
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 66a0122ae4..6fd2e7ea03 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -288,7 +288,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the client.
+      description: 'MAC address of the client.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
@@ -745,7 +751,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the destination.
+      description: 'MAC address of the destination.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
@@ -2295,7 +2307,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: Host mac addresses.
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
     - name: name
       level: core
       type: keyword
@@ -2908,9 +2926,9 @@
       level: extended
       type: object
       description: Observer.egress holds information like interface number and name,
-        vlan, and zone information to  classify egress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify egress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       default_field: false
     - name: egress.interface.alias
       level: extended
@@ -2954,7 +2972,7 @@
       type: keyword
       ignore_above: 1024
       description: Network zone of outbound traffic as reported by the observer to
-        categorize the destination area of egress  traffic, e.g. Internal, External,
+        categorize the destination area of egress traffic, e.g. Internal, External,
         DMZ, HR, Legal, etc.
       example: Public_Internet
       default_field: false
@@ -3044,9 +3062,9 @@
       level: extended
       type: object
       description: Observer.ingress holds information like interface number and name,
-        vlan, and zone information to  classify ingress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify ingress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       default_field: false
     - name: ingress.interface.alias
       level: extended
@@ -3090,7 +3108,7 @@
       type: keyword
       ignore_above: 1024
       description: Network zone of incoming traffic as reported by the observer to
-        categorize the source area of ingress  traffic. e.g. internal, External, DMZ,
+        categorize the source area of ingress traffic. e.g. internal, External, DMZ,
         HR, Legal, etc.
       example: DMZ
       default_field: false
@@ -3102,7 +3120,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC addresses of the observer
+      description: 'MAC addresses of the observer.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
     - name: name
       level: extended
       type: keyword
@@ -4351,7 +4375,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the server.
+      description: 'MAC address of the server.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
@@ -4711,7 +4741,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: MAC address of the source.
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
     - name: nat.ip
       level: extended
       type: ip
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 87ddec0d0d..46400c8e83 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -27,7 +27,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.9.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client.
+1.9.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
 1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
 1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
 1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
@@ -82,7 +82,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.9.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination.
+1.9.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
 1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
 1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
 1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
@@ -254,7 +254,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
 1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.9.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
+1.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
 1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
 1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -350,7 +350,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
 1.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
 1.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.9.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
+1.9.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
 1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
 1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 1.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -497,7 +497,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.9.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server.
+1.9.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
 1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
 1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
 1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
@@ -542,7 +542,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
 1.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.9.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source.
+1.9.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
 1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
 1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
 1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 44aa7b170f..b92392d17e 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -317,7 +317,12 @@ client.ip:
   type: ip
 client.mac:
   dashed_name: client-mac
-  description: MAC address of the client.
+  description: 'MAC address of the client.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: client.mac
   ignore_above: 1024
   level: core
@@ -967,7 +972,12 @@ destination.ip:
   type: ip
 destination.mac:
   dashed_name: destination-mac
-  description: MAC address of the destination.
+  description: 'MAC address of the destination.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: destination.mac
   ignore_above: 1024
   level: core
@@ -3518,14 +3528,19 @@ host.ip:
   type: ip
 host.mac:
   dashed_name: host-mac
-  description: Host mac addresses.
+  description: 'Host MAC addresses.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
   flat_name: host.mac
   ignore_above: 1024
   level: core
   name: mac
   normalize:
   - array
-  short: Host mac addresses.
+  short: Host MAC addresses.
   type: keyword
 host.name:
   dashed_name: host-name
@@ -4404,8 +4419,8 @@ network.vlan.name:
 observer.egress:
   dashed_name: observer-egress
   description: Observer.egress holds information like interface number and name, vlan,
-    and zone information to  classify egress traffic.  Single armed monitoring such
-    as a network sensor on a span port should  only use observer.ingress to categorize
+    and zone information to classify egress traffic.  Single armed monitoring such
+    as a network sensor on a span port should only use observer.ingress to categorize
     traffic.
   flat_name: observer.egress
   level: extended
@@ -4477,7 +4492,7 @@ observer.egress.vlan.name:
 observer.egress.zone:
   dashed_name: observer-egress-zone
   description: Network zone of outbound traffic as reported by the observer to categorize
-    the destination area of egress  traffic, e.g. Internal, External, DMZ, HR, Legal,
+    the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal,
     etc.
   example: Public_Internet
   flat_name: observer.egress.zone
@@ -4640,8 +4655,8 @@ observer.hostname:
 observer.ingress:
   dashed_name: observer-ingress
   description: Observer.ingress holds information like interface number and name,
-    vlan, and zone information to  classify ingress traffic.  Single armed monitoring
-    such as a network sensor on a span port should  only use observer.ingress to categorize
+    vlan, and zone information to classify ingress traffic.  Single armed monitoring
+    such as a network sensor on a span port should only use observer.ingress to categorize
     traffic.
   flat_name: observer.ingress
   level: extended
@@ -4713,8 +4728,7 @@ observer.ingress.vlan.name:
 observer.ingress.zone:
   dashed_name: observer-ingress-zone
   description: Network zone of incoming traffic as reported by the observer to categorize
-    the source area of ingress  traffic. e.g. internal, External, DMZ, HR, Legal,
-    etc.
+    the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
   example: DMZ
   flat_name: observer.ingress.zone
   ignore_above: 1024
@@ -4735,14 +4749,19 @@ observer.ip:
   type: ip
 observer.mac:
   dashed_name: observer-mac
-  description: MAC addresses of the observer
+  description: 'MAC addresses of the observer.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
   flat_name: observer.mac
   ignore_above: 1024
   level: core
   name: mac
   normalize:
   - array
-  short: MAC addresses of the observer
+  short: MAC addresses of the observer.
   type: keyword
 observer.name:
   dashed_name: observer-name
@@ -6446,7 +6465,12 @@ server.ip:
   type: ip
 server.mac:
   dashed_name: server-mac
-  description: MAC address of the server.
+  description: 'MAC address of the server.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: server.mac
   ignore_above: 1024
   level: core
@@ -7011,7 +7035,12 @@ source.ip:
   type: ip
 source.mac:
   dashed_name: source-mac
-  description: MAC address of the source.
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
   flat_name: source.mac
   ignore_above: 1024
   level: core
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index d550ec8cc6..b11ded1d60 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -463,7 +463,13 @@ client:
       type: ip
     client.mac:
       dashed_name: client-mac
-      description: MAC address of the client.
+      description: 'MAC address of the client.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: client.mac
       ignore_above: 1024
       level: core
@@ -1255,7 +1261,13 @@ destination:
       type: ip
     destination.mac:
       dashed_name: destination-mac
-      description: MAC address of the destination.
+      description: 'MAC address of the destination.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: destination.mac
       ignore_above: 1024
       level: core
@@ -4233,14 +4245,20 @@ host:
       type: ip
     host.mac:
       dashed_name: host-mac
-      description: Host mac addresses.
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
       flat_name: host.mac
       ignore_above: 1024
       level: core
       name: mac
       normalize:
       - array
-      short: Host mac addresses.
+      short: Host MAC addresses.
       type: keyword
     host.name:
       dashed_name: host-name
@@ -5236,9 +5254,9 @@ observer:
     observer.egress:
       dashed_name: observer-egress
       description: Observer.egress holds information like interface number and name,
-        vlan, and zone information to  classify egress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify egress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       flat_name: observer.egress
       level: extended
       name: egress
@@ -5310,7 +5328,7 @@ observer:
     observer.egress.zone:
       dashed_name: observer-egress-zone
       description: Network zone of outbound traffic as reported by the observer to
-        categorize the destination area of egress  traffic, e.g. Internal, External,
+        categorize the destination area of egress traffic, e.g. Internal, External,
         DMZ, HR, Legal, etc.
       example: Public_Internet
       flat_name: observer.egress.zone
@@ -5473,9 +5491,9 @@ observer:
     observer.ingress:
       dashed_name: observer-ingress
       description: Observer.ingress holds information like interface number and name,
-        vlan, and zone information to  classify ingress traffic.  Single armed monitoring
-        such as a network sensor on a span port should  only use observer.ingress
-        to categorize traffic.
+        vlan, and zone information to classify ingress traffic.  Single armed monitoring
+        such as a network sensor on a span port should only use observer.ingress to
+        categorize traffic.
       flat_name: observer.ingress
       level: extended
       name: ingress
@@ -5547,7 +5565,7 @@ observer:
     observer.ingress.zone:
       dashed_name: observer-ingress-zone
       description: Network zone of incoming traffic as reported by the observer to
-        categorize the source area of ingress  traffic. e.g. internal, External, DMZ,
+        categorize the source area of ingress traffic. e.g. internal, External, DMZ,
         HR, Legal, etc.
       example: DMZ
       flat_name: observer.ingress.zone
@@ -5569,14 +5587,20 @@ observer:
       type: ip
     observer.mac:
       dashed_name: observer-mac
-      description: MAC addresses of the observer
+      description: 'MAC addresses of the observer.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
       flat_name: observer.mac
       ignore_above: 1024
       level: core
       name: mac
       normalize:
       - array
-      short: MAC addresses of the observer
+      short: MAC addresses of the observer.
       type: keyword
     observer.name:
       dashed_name: observer-name
@@ -7655,7 +7679,13 @@ server:
       type: ip
     server.mac:
       dashed_name: server-mac
-      description: MAC address of the server.
+      description: 'MAC address of the server.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: server.mac
       ignore_above: 1024
       level: core
@@ -8264,7 +8294,13 @@ source:
       type: ip
     source.mac:
       dashed_name: source-mac
-      description: MAC address of the source.
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
       flat_name: source.mac
       ignore_above: 1024
       level: core
diff --git a/schemas/client.yml b/schemas/client.yml
index e63ab70276..3011c97b46 100644
--- a/schemas/client.yml
+++ b/schemas/client.yml
@@ -48,9 +48,16 @@
     - name: mac
       level: core
       type: keyword
+      short: MAC address of the client.
+      example: 00-00-5E-00-53-23
       description: >
         MAC address of the client.
 
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
+        represented by two [uppercase] hexadecimal digits giving the value of
+        the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
+
     - name: domain
       level: core
       type: keyword
diff --git a/schemas/destination.yml b/schemas/destination.yml
index a1e91958f7..c600377b92 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -43,9 +43,16 @@
     - name: mac
       level: core
       type: keyword
+      short: MAC address of the destination.
+      example: 00-00-5E-00-53-23
       description: >
         MAC address of the destination.
 
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
+        represented by two [uppercase] hexadecimal digits giving the value of
+        the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
+
     - name: domain
       level: core
       type: keyword
diff --git a/schemas/host.yml b/schemas/host.yml
index 2fdbd9e4f7..984cc51f40 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -55,8 +55,15 @@
     - name: mac
       level: core
       type: keyword
+      short: Host MAC addresses.
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
       description: >
-        Host mac addresses.
+        Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
+        represented by two [uppercase] hexadecimal digits giving the value of
+        the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
       normalize:
         - array
 
diff --git a/schemas/observer.yml b/schemas/observer.yml
index 88726c372b..9cee51c1c6 100644
--- a/schemas/observer.yml
+++ b/schemas/observer.yml
@@ -20,8 +20,15 @@
     - name: mac
       level: core
       type: keyword
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
+      short: MAC addresses of the observer.
       description: >
-        MAC addresses of the observer
+        MAC addresses of the observer.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
+        represented by two [uppercase] hexadecimal digits giving the value of
+        the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
       normalize:
         - array
 
@@ -96,8 +103,8 @@
       type: object
       short: Object field for ingress information
       description: >
-        Observer.ingress holds information like interface number and name, vlan, and zone information to 
-        classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should 
+        Observer.ingress holds information like interface number and name, vlan, and zone information to
+        classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should
         only use observer.ingress to categorize traffic.
 
     - name: ingress.zone
@@ -106,16 +113,16 @@
       short: Observer ingress zone
       example: DMZ
       description: >
-        Network zone of incoming traffic as reported by the observer to categorize the source area of ingress 
+        Network zone of incoming traffic as reported by the observer to categorize the source area of ingress
         traffic. e.g. internal, External, DMZ, HR, Legal, etc.
-      
+
     - name: egress
       level: extended
       type: object
       short: Object field for egress information
       description: >
-        Observer.egress holds information like interface number and name, vlan, and zone information to 
-        classify egress traffic.  Single armed monitoring such as a network sensor on a span port should 
+        Observer.egress holds information like interface number and name, vlan, and zone information to
+        classify egress traffic.  Single armed monitoring such as a network sensor on a span port should
         only use observer.ingress to categorize traffic.
 
     - name: egress.zone
@@ -124,5 +131,5 @@
       short: Observer Egress zone
       example: Public_Internet
       description: >
-        Network zone of outbound traffic as reported by the observer to categorize the destination area of egress 
+        Network zone of outbound traffic as reported by the observer to categorize the destination area of egress
         traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
diff --git a/schemas/server.yml b/schemas/server.yml
index 867b3bd03c..b5d66c63e7 100644
--- a/schemas/server.yml
+++ b/schemas/server.yml
@@ -48,9 +48,16 @@
     - name: mac
       level: core
       type: keyword
+      short: MAC address of the server.
+      example: 00-00-5E-00-53-23
       description: >
         MAC address of the server.
 
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
+        represented by two [uppercase] hexadecimal digits giving the value of
+        the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
+
     - name: domain
       level: core
       type: keyword
diff --git a/schemas/source.yml b/schemas/source.yml
index 268b975312..8f3e5f1350 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -43,9 +43,16 @@
     - name: mac
       level: core
       type: keyword
+      short: MAC address of the source.
+      example: 00-00-5E-00-53-23
       description: >
         MAC address of the source.
 
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
+        represented by two [uppercase] hexadecimal digits giving the value of
+        the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.
+
     - name: domain
       level: core
       type: keyword

From 86bc271e4beb2d6332a41e7c748781949e4c0f16 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 16 Feb 2021 15:57:04 -0600
Subject: [PATCH 77/90] finalize 1.8.0 changelog (#1262) (#1265)

---
 CHANGELOG.md      | 52 ++++++++++++++++++++++++++++++++++++++++++++++
 CHANGELOG.next.md | 53 -----------------------------------------------
 2 files changed, 52 insertions(+), 53 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49e89c52b7..feb711c0e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,58 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.8.0](https://github.com/elastic/ecs/compare/v1.7.0...v1.8.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Clean up `event.reference` description. #1181
+* Go code generator fails if `scaled_float` type is used. #1250
+
+#### Added
+
+* Added `event.category` "registry". #1040
+* Added `event.category` "session". #1049
+* Added usage documentation for `user` fields. #1066
+* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066
+* Added `os.type`. #1111
+
+#### Improvements
+
+* Event categorization fields GA. #1067
+* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131
+* Reinforce the exclusion of the leading dot from `url.extension`. #1151
+
+#### Deprecated
+
+* Deprecated `host.user.*` fields for removal at the next major. #1066
+
+### Tooling and Artifact Changes
+
+#### Bugfixes
+
+* `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164
+
+#### Added
+
+* Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
+* Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
+* Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046
+* Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
+* Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
+* Added support for `constant_keyword`'s optional parameter `value`. #1112
+* Added component templates for ECS field sets. #1156, #1186, #1191
+* Added functionality for merging custom and core multi-fields. #982
+
+#### Improvements
+
+* Make all fields linkable directly. #1148
+* Added a notice highlighting that the `tracing` fields are not nested under the
+  namespace `tracing.` #1162
+* ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
+* Add a documentation page discussing the experimental artifacts. #1189
+
 ## [1.7.0](https://github.com/elastic/ecs/compare/v1.6.0...v1.7.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2d597ed044..7d0346ed09 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -29,59 +29,6 @@ Thanks, you're awesome :-) -->
 #### Deprecated
 
 
-## 1.8.0 (Feature Freeze)
-
-### Schema Changes
-
-#### Bugfixes
-
-* Clean up `event.reference` description. #1181
-* Go code generator fails if `scaled_float` type is used. #1250
-
-#### Added
-
-* Added `event.category` "registry". #1040
-* Added `event.category` "session". #1049
-* Added usage documentation for `user` fields. #1066
-* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066
-* Added `os.type`. #1111
-
-#### Improvements
-
-* Event categorization fields GA. #1067
-* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131
-* Reinforce the exclusion of the leading dot from `url.extension`. #1151
-
-#### Deprecated
-
-* Deprecated `host.user.*` fields for removal at the next major. #1066
-
-### Tooling and Artifact Changes
-
-#### Bugfixes
-
-* `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164
-
-#### Added
-
-* Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877
-* Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042
-* Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046
-* Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050
-* Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
-* Added support for `constant_keyword`'s optional parameter `value`. #1112
-* Added component templates for ECS field sets. #1156, #1186, #1191
-* Added functionality for merging custom and core multi-fields. #982
-
-#### Improvements
-
-* Make all fields linkable directly. #1148
-* Added a notice highlighting that the `tracing` fields are not nested under the
-  namespace `tracing.` #1162
-* ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
-* Add a documentation page discussing the experimental artifacts. #1189
-
-
 <!-- All empty sections:
 
 ## Unreleased

From b1aca418a7476527d4b5d795a3013dd12c26d56b Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 16 Feb 2021 17:11:49 -0600
Subject: [PATCH 78/90] Add additional host fields (#1248) (#1267)

Co-authored-by: kaiyan-sheng <kaiyan.sheng@elastic.co>
---
 CHANGELOG.next.md                           |   1 +
 code/go/ecs/host.go                         |  31 +++++
 docs/field-details.asciidoc                 | 130 ++++++++++++++++++++
 experimental/generated/beats/fields.ecs.yml |   4 +-
 experimental/generated/ecs/ecs_flat.yml     |  11 +-
 experimental/generated/ecs/ecs_nested.yml   |  11 +-
 experimental/schemas/host.yml               |  61 ---------
 generated/beats/fields.ecs.yml              |  48 ++++++++
 generated/csv/fields.csv                    |   7 ++
 generated/ecs/ecs_flat.yml                  |  83 +++++++++++++
 generated/ecs/ecs_nested.yml                |  83 +++++++++++++
 generated/elasticsearch/6/template.json     |  50 ++++++++
 generated/elasticsearch/7/template.json     |  50 ++++++++
 generated/elasticsearch/component/host.json |  50 ++++++++
 schemas/host.yml                            |  68 ++++++++++
 15 files changed, 624 insertions(+), 64 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7d0346ed09..6239379a43 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -20,6 +20,7 @@ Thanks, you're awesome :-) -->
 * Added `http.request.id`. #1208
 * Added `cloud.service.name`. #1204
 * Added `hash.ssdeep`. #1169
+* Added additional host fields. #1248
 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
 
 #### Improvements
diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go
index f3afb6b871..4953427208 100644
--- a/code/go/ecs/host.go
+++ b/code/go/ecs/host.go
@@ -68,4 +68,35 @@ type Host struct {
 	// or NetBIOS domain name. For Linux this could be the domain of the host's
 	// LDAP provider.
 	Domain string `ecs:"domain"`
+
+	// Percent CPU used which is normalized by the number of CPU cores and it
+	// ranges from 0 to 1.
+	// Scaling factor: 1000.
+	// For example: For a two core host, this value should be the average of
+	// the two cores, between 0 and 1.
+	CpuUsage float64 `ecs:"cpu.usage"`
+
+	// The total number of bytes (gauge) read successfully (aggregated from all
+	// disks) since the last metric collection.
+	DiskReadBytes int64 `ecs:"disk.read.bytes"`
+
+	// The total number of bytes (gauge) written successfully (aggregated from
+	// all disks) since the last metric collection.
+	DiskWriteBytes int64 `ecs:"disk.write.bytes"`
+
+	// The number of bytes received (gauge) on all network interfaces by the
+	// host since the last metric collection.
+	NetworkIngressBytes int64 `ecs:"network.ingress.bytes"`
+
+	// The number of packets (gauge) received on all network interfaces by the
+	// host since the last metric collection.
+	NetworkIngressPackets int64 `ecs:"network.ingress.packets"`
+
+	// The number of bytes (gauge) sent out on all network interfaces by the
+	// host since the last metric collection.
+	NetworkEgressBytes int64 `ecs:"network.egress.bytes"`
+
+	// The number of packets (gauge) sent out on all network interfaces by the
+	// host since the last metric collection.
+	NetworkEgressPackets int64 `ecs:"network.egress.packets"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 12cfbc5870..56ec0e8bbe 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -3188,6 +3188,64 @@ example: `x86_64`
 
 // ===============================================================
 
+|
+[[field-host-cpu-usage]]
+<<field-host-cpu-usage, host.cpu.usage>>
+
+| beta:[ This field is currently considered beta. ]
+
+Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
+
+Scaling factor: 1000.
+
+For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-host-disk-read-bytes]]
+<<field-host-disk-read-bytes, host.disk.read.bytes>>
+
+| beta:[ This field is currently considered beta. ]
+
+The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-host-disk-write-bytes]]
+<<field-host-disk-write-bytes, host.disk.write.bytes>>
+
+| beta:[ This field is currently considered beta. ]
+
+The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
 |
 [[field-host-domain]]
 <<field-host-domain, host.domain>>
@@ -3302,6 +3360,78 @@ type: keyword
 
 // ===============================================================
 
+|
+[[field-host-network-egress-bytes]]
+<<field-host-network-egress-bytes, host.network.egress.bytes>>
+
+| beta:[ This field is currently considered beta. ]
+
+The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-host-network-egress-packets]]
+<<field-host-network-egress-packets, host.network.egress.packets>>
+
+| beta:[ This field is currently considered beta. ]
+
+The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-host-network-ingress-bytes]]
+<<field-host-network-ingress-bytes, host.network.ingress.bytes>>
+
+| beta:[ This field is currently considered beta. ]
+
+The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-host-network-ingress-packets]]
+<<field-host-network-ingress-packets, host.network.ingress.packets>>
+
+| beta:[ This field is currently considered beta. ]
+
+The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
 |
 [[field-host-type]]
 <<field-host-type, host.type>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 841d63b442..c044939ad9 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2222,7 +2222,9 @@
       level: extended
       type: scaled_float
       description: 'Percent CPU used which is normalized by the number of CPU cores
-        and it ranges from 0 to 1. Scaling factor: 1000.
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
 
         For example: For a two core host, this value should be the average of the
         two cores, between 0 and 1.'
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index ba35594e18..54583bb5ad 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3355,9 +3355,12 @@ host.architecture:
   short: Operating system architecture.
   type: keyword
 host.cpu.usage:
+  beta: This field is currently considered beta.
   dashed_name: host-cpu-usage
   description: 'Percent CPU used which is normalized by the number of CPU cores and
-    it ranges from 0 to 1. Scaling factor: 1000.
+    it ranges from 0 to 1.
+
+    Scaling factor: 1000.
 
     For example: For a two core host, this value should be the average of the two
     cores, between 0 and 1.'
@@ -3369,6 +3372,7 @@ host.cpu.usage:
   short: Percent CPU used, between 0 and 1.
   type: scaled_float
 host.disk.read.bytes:
+  beta: This field is currently considered beta.
   dashed_name: host-disk-read-bytes
   description: The total number of bytes (gauge) read successfully (aggregated from
     all disks) since the last metric collection.
@@ -3379,6 +3383,7 @@ host.disk.read.bytes:
   short: The number of bytes read by all disks.
   type: long
 host.disk.write.bytes:
+  beta: This field is currently considered beta.
   dashed_name: host-disk-write-bytes
   description: The total number of bytes (gauge) written successfully (aggregated
     from all disks) since the last metric collection.
@@ -3606,6 +3611,7 @@ host.name:
   short: Name of the host.
   type: keyword
 host.network.egress.bytes:
+  beta: This field is currently considered beta.
   dashed_name: host-network-egress-bytes
   description: The number of bytes (gauge) sent out on all network interfaces by the
     host since the last metric collection.
@@ -3616,6 +3622,7 @@ host.network.egress.bytes:
   short: The number of bytes sent on all network interfaces.
   type: long
 host.network.egress.packets:
+  beta: This field is currently considered beta.
   dashed_name: host-network-egress-packets
   description: The number of packets (gauge) sent out on all network interfaces by
     the host since the last metric collection.
@@ -3626,6 +3633,7 @@ host.network.egress.packets:
   short: The number of packets sent on all network interfaces.
   type: long
 host.network.ingress.bytes:
+  beta: This field is currently considered beta.
   dashed_name: host-network-ingress-bytes
   description: The number of bytes received (gauge) on all network interfaces by the
     host since the last metric collection.
@@ -3636,6 +3644,7 @@ host.network.ingress.bytes:
   short: The number of bytes received on all network interfaces.
   type: long
 host.network.ingress.packets:
+  beta: This field is currently considered beta.
   dashed_name: host-network-ingress-packets
   description: The number of packets (gauge) received on all network interfaces by
     the host since the last metric collection.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index ff10e027f4..a0bb8d6a76 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4092,9 +4092,12 @@ host:
       short: Operating system architecture.
       type: keyword
     host.cpu.usage:
+      beta: This field is currently considered beta.
       dashed_name: host-cpu-usage
       description: 'Percent CPU used which is normalized by the number of CPU cores
-        and it ranges from 0 to 1. Scaling factor: 1000.
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
 
         For example: For a two core host, this value should be the average of the
         two cores, between 0 and 1.'
@@ -4106,6 +4109,7 @@ host:
       short: Percent CPU used, between 0 and 1.
       type: scaled_float
     host.disk.read.bytes:
+      beta: This field is currently considered beta.
       dashed_name: host-disk-read-bytes
       description: The total number of bytes (gauge) read successfully (aggregated
         from all disks) since the last metric collection.
@@ -4116,6 +4120,7 @@ host:
       short: The number of bytes read by all disks.
       type: long
     host.disk.write.bytes:
+      beta: This field is currently considered beta.
       dashed_name: host-disk-write-bytes
       description: The total number of bytes (gauge) written successfully (aggregated
         from all disks) since the last metric collection.
@@ -4346,6 +4351,7 @@ host:
       short: Name of the host.
       type: keyword
     host.network.egress.bytes:
+      beta: This field is currently considered beta.
       dashed_name: host-network-egress-bytes
       description: The number of bytes (gauge) sent out on all network interfaces
         by the host since the last metric collection.
@@ -4356,6 +4362,7 @@ host:
       short: The number of bytes sent on all network interfaces.
       type: long
     host.network.egress.packets:
+      beta: This field is currently considered beta.
       dashed_name: host-network-egress-packets
       description: The number of packets (gauge) sent out on all network interfaces
         by the host since the last metric collection.
@@ -4366,6 +4373,7 @@ host:
       short: The number of packets sent on all network interfaces.
       type: long
     host.network.ingress.bytes:
+      beta: This field is currently considered beta.
       dashed_name: host-network-ingress-bytes
       description: The number of bytes received (gauge) on all network interfaces
         by the host since the last metric collection.
@@ -4376,6 +4384,7 @@ host:
       short: The number of bytes received on all network interfaces.
       type: long
     host.network.ingress.packets:
+      beta: This field is currently considered beta.
       dashed_name: host-network-ingress-packets
       description: The number of packets (gauge) received on all network interfaces
         by the host since the last metric collection.
diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml
index b7b57cfc09..91f3d1bbc2 100644
--- a/experimental/schemas/host.yml
+++ b/experimental/schemas/host.yml
@@ -1,65 +1,4 @@
 - name: host
   fields:
-    # RFC 0005
-    - name: cpu.usage
-      type: scaled_float
-      scaling_factor: 1000
-      level: extended
-      short: Percent CPU used, between 0 and 1.
-      description: >
-        Percent CPU used which is normalized by the number of CPU cores and it
-        ranges from 0 to 1. Scaling factor: 1000.
-
-        For example: For a two core host, this value should be the average of the
-        two cores, between 0 and 1.
-
-    - name: network.ingress.bytes
-      type: long
-      level: extended
-      short: The number of bytes received on all network interfaces.
-      description: >
-        The number of bytes received (gauge) on all network interfaces by the
-        host since the last metric collection.
-
-    - name: network.ingress.packets
-      type: long
-      level: extended
-      short: The number of packets received on all network interfaces.
-      description: >
-        The number of packets (gauge) received on all network interfaces by the
-        host since the last metric collection.
-
-    - name: network.egress.bytes
-      type: long
-      level: extended
-      short: The number of bytes sent on all network interfaces.
-      description: >
-        The number of bytes (gauge) sent out on all network interfaces by the
-        host since the last metric collection.
-
-    - name: network.egress.packets
-      type: long
-      level: extended
-      short: The number of packets sent on all network interfaces.
-      description: >
-        The number of packets (gauge) sent out on all network interfaces by the
-        host since the last metric collection.
-
-    - name: disk.read.bytes
-      type: long
-      level: extended
-      short: The number of bytes read by all disks.
-      description: >
-        The total number of bytes (gauge) read successfully (aggregated from all
-        disks) since the last metric collection.
-
-    - name: disk.write.bytes
-      type: long
-      level: extended
-      short: The number of bytes written on all disks.
-      description: >
-        The total number of bytes (gauge) written successfully (aggregated from
-        all disks) since the last metric collection.
-
     - name: hostname
       type: wildcard
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 6fd2e7ea03..4e6459e331 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2195,6 +2195,30 @@
       ignore_above: 1024
       description: Operating system architecture.
       example: x86_64
+    - name: cpu.usage
+      level: extended
+      type: scaled_float
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      scaling_factor: 1000
+      default_field: false
+    - name: disk.read.bytes
+      level: extended
+      type: long
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      default_field: false
+    - name: disk.write.bytes
+      level: extended
+      type: long
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      default_field: false
     - name: domain
       level: extended
       type: keyword
@@ -2323,6 +2347,30 @@
         It can contain what `hostname` returns on Unix systems, the fully qualified
         domain name, or a name specified by the user. The sender decides which value
         to use.'
+    - name: network.egress.bytes
+      level: extended
+      type: long
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.egress.packets
+      level: extended
+      type: long
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.ingress.bytes
+      level: extended
+      type: long
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.ingress.packets
+      level: extended
+      type: long
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 46400c8e83..8048de1277 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -239,6 +239,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 1.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
 1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.9.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+1.9.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+1.9.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
 1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
 1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
 1.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
@@ -256,6 +259,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
 1.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
 1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+1.9.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+1.9.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+1.9.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+1.9.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
 1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index b92392d17e..9057ad0999 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3336,6 +3336,45 @@ host.architecture:
   normalize: []
   short: Operating system architecture.
   type: keyword
+host.cpu.usage:
+  beta: This field is currently considered beta.
+  dashed_name: host-cpu-usage
+  description: 'Percent CPU used which is normalized by the number of CPU cores and
+    it ranges from 0 to 1.
+
+    Scaling factor: 1000.
+
+    For example: For a two core host, this value should be the average of the two
+    cores, between 0 and 1.'
+  flat_name: host.cpu.usage
+  level: extended
+  name: cpu.usage
+  normalize: []
+  scaling_factor: 1000
+  short: Percent CPU used, between 0 and 1.
+  type: scaled_float
+host.disk.read.bytes:
+  beta: This field is currently considered beta.
+  dashed_name: host-disk-read-bytes
+  description: The total number of bytes (gauge) read successfully (aggregated from
+    all disks) since the last metric collection.
+  flat_name: host.disk.read.bytes
+  level: extended
+  name: disk.read.bytes
+  normalize: []
+  short: The number of bytes read by all disks.
+  type: long
+host.disk.write.bytes:
+  beta: This field is currently considered beta.
+  dashed_name: host-disk-write-bytes
+  description: The total number of bytes (gauge) written successfully (aggregated
+    from all disks) since the last metric collection.
+  flat_name: host.disk.write.bytes
+  level: extended
+  name: disk.write.bytes
+  normalize: []
+  short: The number of bytes written on all disks.
+  type: long
 host.domain:
   dashed_name: host-domain
   description: 'Name of the domain of which the host is a member.
@@ -3555,6 +3594,50 @@ host.name:
   normalize: []
   short: Name of the host.
   type: keyword
+host.network.egress.bytes:
+  beta: This field is currently considered beta.
+  dashed_name: host-network-egress-bytes
+  description: The number of bytes (gauge) sent out on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.egress.bytes
+  level: extended
+  name: network.egress.bytes
+  normalize: []
+  short: The number of bytes sent on all network interfaces.
+  type: long
+host.network.egress.packets:
+  beta: This field is currently considered beta.
+  dashed_name: host-network-egress-packets
+  description: The number of packets (gauge) sent out on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.egress.packets
+  level: extended
+  name: network.egress.packets
+  normalize: []
+  short: The number of packets sent on all network interfaces.
+  type: long
+host.network.ingress.bytes:
+  beta: This field is currently considered beta.
+  dashed_name: host-network-ingress-bytes
+  description: The number of bytes received (gauge) on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.ingress.bytes
+  level: extended
+  name: network.ingress.bytes
+  normalize: []
+  short: The number of bytes received on all network interfaces.
+  type: long
+host.network.ingress.packets:
+  beta: This field is currently considered beta.
+  dashed_name: host-network-ingress-packets
+  description: The number of packets (gauge) received on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.ingress.packets
+  level: extended
+  name: network.ingress.packets
+  normalize: []
+  short: The number of packets received on all network interfaces.
+  type: long
 host.os.family:
   dashed_name: host-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index b11ded1d60..482bcf618a 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4052,6 +4052,45 @@ host:
       normalize: []
       short: Operating system architecture.
       type: keyword
+    host.cpu.usage:
+      beta: This field is currently considered beta.
+      dashed_name: host-cpu-usage
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      flat_name: host.cpu.usage
+      level: extended
+      name: cpu.usage
+      normalize: []
+      scaling_factor: 1000
+      short: Percent CPU used, between 0 and 1.
+      type: scaled_float
+    host.disk.read.bytes:
+      beta: This field is currently considered beta.
+      dashed_name: host-disk-read-bytes
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.read.bytes
+      level: extended
+      name: disk.read.bytes
+      normalize: []
+      short: The number of bytes read by all disks.
+      type: long
+    host.disk.write.bytes:
+      beta: This field is currently considered beta.
+      dashed_name: host-disk-write-bytes
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.write.bytes
+      level: extended
+      name: disk.write.bytes
+      normalize: []
+      short: The number of bytes written on all disks.
+      type: long
     host.domain:
       dashed_name: host-domain
       description: 'Name of the domain of which the host is a member.
@@ -4274,6 +4313,50 @@ host:
       normalize: []
       short: Name of the host.
       type: keyword
+    host.network.egress.bytes:
+      beta: This field is currently considered beta.
+      dashed_name: host-network-egress-bytes
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.bytes
+      level: extended
+      name: network.egress.bytes
+      normalize: []
+      short: The number of bytes sent on all network interfaces.
+      type: long
+    host.network.egress.packets:
+      beta: This field is currently considered beta.
+      dashed_name: host-network-egress-packets
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.packets
+      level: extended
+      name: network.egress.packets
+      normalize: []
+      short: The number of packets sent on all network interfaces.
+      type: long
+    host.network.ingress.bytes:
+      beta: This field is currently considered beta.
+      dashed_name: host-network-ingress-bytes
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.bytes
+      level: extended
+      name: network.ingress.bytes
+      normalize: []
+      short: The number of bytes received on all network interfaces.
+      type: long
+    host.network.ingress.packets:
+      beta: This field is currently considered beta.
+      dashed_name: host-network-ingress-packets
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.packets
+      level: extended
+      name: network.ingress.packets
+      normalize: []
+      short: The number of packets received on all network interfaces.
+      type: long
     host.os.family:
       dashed_name: host-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 15708392e3..b126de6d78 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -1115,6 +1115,32 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "cpu": {
+              "properties": {
+                "usage": {
+                  "scaling_factor": 1000,
+                  "type": "scaled_float"
+                }
+              }
+            },
+            "disk": {
+              "properties": {
+                "read": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "write": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
             "domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -1185,6 +1211,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "network": {
+              "properties": {
+                "egress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "ingress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
             "os": {
               "properties": {
                 "family": {
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 083546847a..f70782f320 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -1114,6 +1114,32 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "cpu": {
+            "properties": {
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "disk": {
+            "properties": {
+              "read": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "write": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
           "domain": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -1184,6 +1210,30 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "network": {
+            "properties": {
+              "egress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              },
+              "ingress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
           "os": {
             "properties": {
               "family": {
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index e371893cf8..e4ee59abbc 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -12,6 +12,32 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "cpu": {
+              "properties": {
+                "usage": {
+                  "scaling_factor": 1000,
+                  "type": "scaled_float"
+                }
+              }
+            },
+            "disk": {
+              "properties": {
+                "read": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "write": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
             "domain": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -82,6 +108,30 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "network": {
+              "properties": {
+                "egress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "ingress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
             "os": {
               "properties": {
                 "family": {
diff --git a/schemas/host.yml b/schemas/host.yml
index 984cc51f40..74a6de5eec 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -103,3 +103,71 @@
         For Linux this could be the domain of the host's LDAP provider.
       example: CONTOSO
 
+    - name: cpu.usage
+      level: extended
+      type: scaled_float
+      scaling_factor: 1000
+      short: Percent CPU used, between 0 and 1.
+      beta: This field is currently considered beta.
+      description: >
+        Percent CPU used which is normalized by the number of CPU cores and it
+        ranges from 0 to 1.
+
+        Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of
+        the two cores, between 0 and 1.
+
+    - name: disk.read.bytes
+      type: long
+      level: extended
+      short: The number of bytes read by all disks.
+      beta: This field is currently considered beta.
+      description: >
+        The total number of bytes (gauge) read successfully (aggregated from all
+        disks) since the last metric collection.
+
+    - name: disk.write.bytes
+      type: long
+      level: extended
+      short: The number of bytes written on all disks.
+      beta: This field is currently considered beta.
+      description: >
+        The total number of bytes (gauge) written successfully (aggregated from
+        all disks) since the last metric collection.
+
+    - name: network.ingress.bytes
+      type: long
+      level: extended
+      short: The number of bytes received on all network interfaces.
+      beta: This field is currently considered beta.
+      description: >
+        The number of bytes received (gauge) on all network interfaces by the
+        host since the last metric collection.
+
+    - name: network.ingress.packets
+      type: long
+      level: extended
+      short: The number of packets received on all network interfaces.
+      beta: This field is currently considered beta.
+      description: >
+        The number of packets (gauge) received on all network interfaces by the
+        host since the last metric collection.
+
+    - name: network.egress.bytes
+      type: long
+      level: extended
+      short: The number of bytes sent on all network interfaces.
+      beta: This field is currently considered beta.
+      description: >
+        The number of bytes (gauge) sent out on all network interfaces by the
+        host since the last metric collection.
+
+    - name: network.egress.packets
+      type: long
+      level: extended
+      short: The number of packets sent on all network interfaces.
+      beta: This field is currently considered beta.
+      description: >
+        The number of packets (gauge) sent out on all network interfaces by the
+        host since the last metric collection.

From 9f97ffbc3b2e2770367cbc7a35b6d1d764199ae4 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 17 Feb 2021 10:00:05 -0600
Subject: [PATCH 79/90] Stage 1 changes for RFC 0014 - extend pe fields (#1256)
 (#1270)

---
 CHANGELOG.next.md                             |    1 +
 experimental/generated/beats/fields.ecs.yml   | 1100 +++++++++-
 experimental/generated/csv/fields.csv         |  124 ++
 experimental/generated/ecs/ecs_flat.yml       | 1536 +++++++++++++-
 experimental/generated/ecs/ecs_nested.yml     | 1881 ++++++++++++++++-
 .../generated/elasticsearch/7/template.json   |  544 +++++
 .../elasticsearch/component/dll.json          |  136 ++
 .../elasticsearch/component/file.json         |  136 ++
 .../elasticsearch/component/process.json      |  272 +++
 experimental/schemas/pe.yml                   |  225 ++
 10 files changed, 5878 insertions(+), 77 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 6239379a43..8fe7df718f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -22,6 +22,7 @@ Thanks, you're awesome :-) -->
 * Added `hash.ssdeep`. #1169
 * Added additional host fields. #1248
 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
+* Extended `pe` fields added to experimental schema. #1256
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index c044939ad9..bad2a56e1b 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1040,6 +1040,13 @@
       description: CPU architecture target for the file.
       example: x64
       default_field: false
+    - name: pe.authentihash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword
@@ -1047,6 +1054,67 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
+    - name: pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.compiler.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the compiler
+      example: Clang
+      default_field: false
+    - name: pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: pe.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.debug
+      level: extended
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      default_field: false
+    - name: pe.debug.offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
+      default_field: false
+    - name: pe.debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+      default_field: false
+    - name: pe.debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.debug.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      default_field: false
     - name: pe.description
       level: extended
       type: keyword
@@ -1054,6 +1122,20 @@
       description: Internal description of the file, provided at compile-time.
       example: Paint
       default_field: false
+    - name: pe.entry_point
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      default_field: false
+    - name: pe.exports
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      default_field: false
     - name: pe.file_version
       level: extended
       type: keyword
@@ -1061,6 +1143,14 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.icon.hash.dhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -1072,12 +1162,33 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      default_field: false
+    - name: pe.machine_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
+    - name: pe.packers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
     - name: pe.product
       level: extended
       type: keyword
@@ -1085,6 +1196,105 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: pe.resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
+      default_field: false
+    - name: pe.resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: pe.resources.filetype
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type of the resources section.
+      example: Data
+      default_field: false
+    - name: pe.resources.language
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      default_field: false
+    - name: pe.resources.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      default_field: false
+    - name: pe.resources.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      default_field: false
+    - name: pe.rich_header.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: Data about sections of compiled binary PE
+      default_field: false
+    - name: pe.sections.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: 3027194
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      default_field: false
+    - name: pe.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section flags of the file.
+      example: rx
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section names of the file.
+      example: .text, .data
+      default_field: false
+    - name: pe.sections.raw_size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      default_field: false
+    - name: pe.sections.virtual_address
+      level: extended
+      type: long
+      format: bytes
+      description: Virtual address available to the file.
+      example: 8192
+      default_field: false
   - name: dns
     title: DNS
     group: 2
@@ -1809,6 +2019,13 @@
       description: CPU architecture target for the file.
       example: x64
       default_field: false
+    - name: pe.authentihash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword
@@ -1816,6 +2033,67 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
+    - name: pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.compiler.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the compiler
+      example: Clang
+      default_field: false
+    - name: pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: pe.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.debug
+      level: extended
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      default_field: false
+    - name: pe.debug.offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
+      default_field: false
+    - name: pe.debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+      default_field: false
+    - name: pe.debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.debug.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      default_field: false
     - name: pe.description
       level: extended
       type: keyword
@@ -1823,6 +2101,20 @@
       description: Internal description of the file, provided at compile-time.
       example: Paint
       default_field: false
+    - name: pe.entry_point
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      default_field: false
+    - name: pe.exports
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      default_field: false
     - name: pe.file_version
       level: extended
       type: keyword
@@ -1830,6 +2122,14 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.icon.hash.dhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -1841,12 +2141,33 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      default_field: false
+    - name: pe.machine_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
+    - name: pe.packers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
     - name: pe.product
       level: extended
       type: keyword
@@ -1854,6 +2175,105 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: pe.resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
+      default_field: false
+    - name: pe.resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: pe.resources.filetype
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type of the resources section.
+      example: Data
+      default_field: false
+    - name: pe.resources.language
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      default_field: false
+    - name: pe.resources.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      default_field: false
+    - name: pe.resources.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      default_field: false
+    - name: pe.rich_header.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: Data about sections of compiled binary PE
+      default_field: false
+    - name: pe.sections.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: 3027194
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      default_field: false
+    - name: pe.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section flags of the file.
+      example: rx
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section names of the file.
+      example: .text, .data
+      default_field: false
+    - name: pe.sections.raw_size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      default_field: false
+    - name: pe.sections.virtual_address
+      level: extended
+      type: long
+      format: bytes
+      description: Virtual address available to the file.
+      example: 8192
+      default_field: false
     - name: size
       level: extended
       type: long
@@ -3486,6 +3906,13 @@
       description: CPU architecture target for the file.
       example: x64
       default_field: false
+    - name: authentihash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      default_field: false
     - name: company
       level: extended
       type: keyword
@@ -3493,47 +3920,250 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: description
+    - name: compile_timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: file_version
+    - name: compiler.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Name of the compiler
+      example: Clang
       default_field: false
-    - name: imphash
+    - name: compiler.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      description: Version of the compiler.
+      example: 11.0.0
       default_field: false
-    - name: original_file_name
+    - name: creation_date
       level: extended
-      type: wildcard
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: product
+    - name: debug
+      level: extended
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      default_field: false
+    - name: debug.offset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: "Microsoft\xAE Windows\xAE Operating System"
+      description: Debug offset information.
+      example: 1296336
       default_field: false
-  - name: process
-    title: Process
-    group: 2
+    - name: debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+      default_field: false
+    - name: debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: debug.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      default_field: false
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: entry_point
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      default_field: false
+    - name: exports
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      default_field: false
+    - name: file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: icon.hash.dhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      default_field: false
+    - name: imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      default_field: false
+    - name: machine_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      default_field: false
+    - name: original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: packers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
+    - name: product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
+      default_field: false
+    - name: resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: resources.filetype
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type of the resources section.
+      example: Data
+      default_field: false
+    - name: resources.language
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      default_field: false
+    - name: resources.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      default_field: false
+    - name: resources.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      default_field: false
+    - name: rich_header.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      default_field: false
+    - name: sections
+      level: extended
+      type: nested
+      description: Data about sections of compiled binary PE
+      default_field: false
+    - name: sections.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: 3027194
+      default_field: false
+    - name: sections.entropy
+      level: extended
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      default_field: false
+    - name: sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section flags of the file.
+      example: rx
+      default_field: false
+    - name: sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section names of the file.
+      example: .text, .data
+      default_field: false
+    - name: sections.raw_size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      default_field: false
+    - name: sections.virtual_address
+      level: extended
+      type: long
+      format: bytes
+      description: Virtual address available to the file.
+      example: 8192
+      default_field: false
+  - name: process
+    title: Process
+    group: 2
     description: 'These fields contain information about a process.
 
       These fields can help you correlate metrics information with a process id/name
@@ -3845,6 +4475,13 @@
       description: CPU architecture target for the file.
       example: x64
       default_field: false
+    - name: parent.pe.authentihash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      default_field: false
     - name: parent.pe.company
       level: extended
       type: keyword
@@ -3852,6 +4489,67 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
+    - name: parent.pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: parent.pe.compiler.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the compiler
+      example: Clang
+      default_field: false
+    - name: parent.pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: parent.pe.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: parent.pe.debug
+      level: extended
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      default_field: false
+    - name: parent.pe.debug.offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
+      default_field: false
+    - name: parent.pe.debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+      default_field: false
+    - name: parent.pe.debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: parent.pe.debug.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      default_field: false
     - name: parent.pe.description
       level: extended
       type: keyword
@@ -3859,6 +4557,20 @@
       description: Internal description of the file, provided at compile-time.
       example: Paint
       default_field: false
+    - name: parent.pe.entry_point
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      default_field: false
+    - name: parent.pe.exports
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      default_field: false
     - name: parent.pe.file_version
       level: extended
       type: keyword
@@ -3866,6 +4578,14 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: parent.pe.icon.hash.dhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      default_field: false
     - name: parent.pe.imphash
       level: extended
       type: keyword
@@ -3877,12 +4597,33 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      default_field: false
+    - name: parent.pe.machine_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      default_field: false
     - name: parent.pe.original_file_name
       level: extended
       type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
+    - name: parent.pe.packers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
     - name: parent.pe.product
       level: extended
       type: keyword
@@ -3890,6 +4631,105 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: parent.pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: parent.pe.resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
+      default_field: false
+    - name: parent.pe.resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: parent.pe.resources.filetype
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type of the resources section.
+      example: Data
+      default_field: false
+    - name: parent.pe.resources.language
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      default_field: false
+    - name: parent.pe.resources.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      default_field: false
+    - name: parent.pe.resources.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      default_field: false
+    - name: parent.pe.rich_header.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      default_field: false
+    - name: parent.pe.sections
+      level: extended
+      type: nested
+      description: Data about sections of compiled binary PE
+      default_field: false
+    - name: parent.pe.sections.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: 3027194
+      default_field: false
+    - name: parent.pe.sections.entropy
+      level: extended
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      default_field: false
+    - name: parent.pe.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section flags of the file.
+      example: rx
+      default_field: false
+    - name: parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section names of the file.
+      example: .text, .data
+      default_field: false
+    - name: parent.pe.sections.raw_size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      default_field: false
+    - name: parent.pe.sections.virtual_address
+      level: extended
+      type: long
+      format: bytes
+      description: Virtual address available to the file.
+      example: 8192
+      default_field: false
     - name: parent.pgid
       level: extended
       type: long
@@ -3964,6 +4804,13 @@
       description: CPU architecture target for the file.
       example: x64
       default_field: false
+    - name: pe.authentihash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      default_field: false
     - name: pe.company
       level: extended
       type: keyword
@@ -3971,6 +4818,67 @@
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
+    - name: pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.compiler.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the compiler
+      example: Clang
+      default_field: false
+    - name: pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: pe.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.debug
+      level: extended
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      default_field: false
+    - name: pe.debug.offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
+      default_field: false
+    - name: pe.debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+      default_field: false
+    - name: pe.debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: pe.debug.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      default_field: false
     - name: pe.description
       level: extended
       type: keyword
@@ -3978,6 +4886,20 @@
       description: Internal description of the file, provided at compile-time.
       example: Paint
       default_field: false
+    - name: pe.entry_point
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      default_field: false
+    - name: pe.exports
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      default_field: false
     - name: pe.file_version
       level: extended
       type: keyword
@@ -3985,6 +4907,14 @@
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
+    - name: pe.icon.hash.dhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      default_field: false
     - name: pe.imphash
       level: extended
       type: keyword
@@ -3996,12 +4926,33 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      default_field: false
+    - name: pe.machine_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      default_field: false
     - name: pe.original_file_name
       level: extended
       type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
+    - name: pe.packers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
     - name: pe.product
       level: extended
       type: keyword
@@ -4009,6 +4960,105 @@
       description: Internal product name of the file, provided at compile-time.
       example: "Microsoft\xAE Windows\xAE Operating System"
       default_field: false
+    - name: pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: pe.resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
+      default_field: false
+    - name: pe.resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: pe.resources.filetype
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type of the resources section.
+      example: Data
+      default_field: false
+    - name: pe.resources.language
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      default_field: false
+    - name: pe.resources.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      default_field: false
+    - name: pe.resources.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      default_field: false
+    - name: pe.rich_header.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: Data about sections of compiled binary PE
+      default_field: false
+    - name: pe.sections.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: 3027194
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      default_field: false
+    - name: pe.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section flags of the file.
+      example: rx
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section names of the file.
+      example: .text, .data
+      default_field: false
+    - name: pe.sections.raw_size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      default_field: false
+    - name: pe.sections.virtual_address
+      level: extended
+      type: long
+      format: bytes
+      description: Virtual address available to the file.
+      example: 8192
+      default_field: false
     - name: pgid
       level: extended
       type: long
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 2ab59c260c..0bde23311a 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -118,12 +118,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
 1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
 1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information
+1.9.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
 1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
 1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
 1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
 1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
 1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information
+1.9.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
 1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
@@ -203,12 +234,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
 1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information
+1.9.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
 1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
 1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
 1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
 1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
 1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information
+1.9.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
 1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
 1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
 1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
@@ -433,12 +495,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
 1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
 1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
 1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information
+1.9.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
 1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
 1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
 1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
 1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
 1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information
+1.9.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
 1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
 1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
@@ -451,12 +544,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
 1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
 1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
 1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information
+1.9.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
 1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
 1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
 1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
 1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
 1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information
+1.9.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
 1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
 1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 54583bb5ad..ee97af19e6 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1403,6 +1403,18 @@ dll.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
+dll.pe.authentihash:
+  dashed_name: dll-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: dll.pe.authentihash
+  ignore_above: 1024
+  level: extended
+  name: authentihash
+  normalize: []
+  original_fieldset: pe
+  short: Authentihash of the PE file.
+  type: keyword
 dll.pe.company:
   dashed_name: dll-pe-company
   description: Internal company name of the file, provided at compile-time.
@@ -1415,6 +1427,113 @@ dll.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
+dll.pe.compile_timestamp:
+  dashed_name: dll-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: dll.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+dll.pe.compiler.name:
+  dashed_name: dll-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: dll.pe.compiler.name
+  ignore_above: 1024
+  level: extended
+  name: compiler.name
+  normalize: []
+  original_fieldset: pe
+  short: Name of the compiler
+  type: keyword
+dll.pe.compiler.version:
+  dashed_name: dll-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: dll.pe.compiler.version
+  ignore_above: 1024
+  level: extended
+  name: compiler.version
+  normalize: []
+  original_fieldset: pe
+  short: Version of the compiler.
+  type: keyword
+dll.pe.creation_date:
+  dashed_name: dll-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: dll.pe.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+dll.pe.debug:
+  dashed_name: dll-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
+
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: dll.pe.debug
+  level: extended
+  name: debug
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Debug information
+  type: nested
+dll.pe.debug.offset:
+  dashed_name: dll-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: dll.pe.debug.offset
+  ignore_above: 1024
+  level: extended
+  name: debug.offset
+  normalize: []
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+dll.pe.debug.size:
+  dashed_name: dll-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: dll.pe.debug.size
+  format: bytes
+  level: extended
+  name: debug.size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the debug information.
+  type: long
+dll.pe.debug.timestamp:
+  dashed_name: dll-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: dll.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+dll.pe.debug.type:
+  dashed_name: dll-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: dll.pe.debug.type
+  ignore_above: 1024
+  level: extended
+  name: debug.type
+  normalize: []
+  original_fieldset: pe
+  short: Information type generated by the debug options.
+  type: keyword
 dll.pe.description:
   dashed_name: dll-pe-description
   description: Internal description of the file, provided at compile-time.
@@ -1427,6 +1546,31 @@ dll.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
+dll.pe.entry_point:
+  dashed_name: dll-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: dll.pe.entry_point
+  ignore_above: 1024
+  level: extended
+  name: entry_point
+  normalize: []
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
+  type: keyword
+dll.pe.exports:
+  dashed_name: dll-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: dll.pe.exports
+  ignore_above: 1024
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
 dll.pe.file_version:
   dashed_name: dll-pe-file-version
   description: Internal version of the file, provided at compile-time.
@@ -1439,6 +1583,19 @@ dll.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+dll.pe.icon.hash.dhash:
+  dashed_name: dll-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: dll.pe.icon.hash.dhash
+  ignore_above: 1024
+  level: extended
+  name: icon.hash.dhash
+  normalize: []
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  type: keyword
 dll.pe.imphash:
   dashed_name: dll-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -1455,6 +1612,30 @@ dll.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+dll.pe.imports:
+  dashed_name: dll-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: dll.pe.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+dll.pe.machine_type:
+  dashed_name: dll-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: dll.pe.machine_type
+  ignore_above: 1024
+  level: extended
+  name: machine_type
+  normalize: []
+  original_fieldset: pe
+  short: Machine type of the PE file.
+  type: keyword
 dll.pe.original_file_name:
   dashed_name: dll-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -1466,6 +1647,19 @@ dll.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: wildcard
+dll.pe.packers:
+  dashed_name: dll-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: dll.pe.packers
+  ignore_above: 1024
+  level: extended
+  name: packers
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of packers and tools used.
+  type: keyword
 dll.pe.product:
   dashed_name: dll-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -1478,6 +1672,183 @@ dll.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+dll.pe.resources:
+  dashed_name: dll-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
+
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: dll.pe.resources
+  level: extended
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+dll.pe.resources.chi2:
+  dashed_name: dll-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: dll.pe.resources.chi2
+  level: extended
+  name: resources.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+dll.pe.resources.entropy:
+  dashed_name: dll-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: dll.pe.resources.entropy
+  level: extended
+  name: resources.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+dll.pe.resources.filetype:
+  dashed_name: dll-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: dll.pe.resources.filetype
+  ignore_above: 1024
+  level: extended
+  name: resources.filetype
+  normalize: []
+  original_fieldset: pe
+  short: File type of the resources section.
+  type: keyword
+dll.pe.resources.language:
+  dashed_name: dll-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: dll.pe.resources.language
+  ignore_above: 1024
+  level: extended
+  name: resources.language
+  normalize: []
+  original_fieldset: pe
+  short: Language identification.
+  type: keyword
+dll.pe.resources.sha256:
+  dashed_name: dll-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: dll.pe.resources.sha256
+  ignore_above: 1024
+  level: extended
+  name: resources.sha256
+  normalize: []
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
+  type: keyword
+dll.pe.resources.type:
+  dashed_name: dll-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: dll.pe.resources.type
+  ignore_above: 1024
+  level: extended
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
+  type: keyword
+dll.pe.rich_header.hash.md5:
+  dashed_name: dll-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: dll.pe.rich_header.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: rich_header.hash.md5
+  normalize: []
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
+  type: keyword
+dll.pe.sections:
+  dashed_name: dll-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: dll.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+dll.pe.sections.chi2:
+  dashed_name: dll-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: dll.pe.sections.chi2
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+dll.pe.sections.entropy:
+  dashed_name: dll-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: dll.pe.sections.entropy
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+dll.pe.sections.flags:
+  dashed_name: dll-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: dll.pe.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: pe
+  short: Section flags of the file.
+  type: keyword
+dll.pe.sections.name:
+  dashed_name: dll-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: dll.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: Section names of the file.
+  type: keyword
+dll.pe.sections.raw_size:
+  dashed_name: dll-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: dll.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+dll.pe.sections.virtual_address:
+  dashed_name: dll-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: dll.pe.sections.virtual_address
+  format: bytes
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
 dns.answers:
   dashed_name: dns-answers
   description: 'An array containing an object for each answer section returned by
@@ -2884,6 +3255,18 @@ file.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
+file.pe.authentihash:
+  dashed_name: file-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: file.pe.authentihash
+  ignore_above: 1024
+  level: extended
+  name: authentihash
+  normalize: []
+  original_fieldset: pe
+  short: Authentihash of the PE file.
+  type: keyword
 file.pe.company:
   dashed_name: file-pe-company
   description: Internal company name of the file, provided at compile-time.
@@ -2896,6 +3279,113 @@ file.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
+file.pe.compile_timestamp:
+  dashed_name: file-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: file.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+file.pe.compiler.name:
+  dashed_name: file-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: file.pe.compiler.name
+  ignore_above: 1024
+  level: extended
+  name: compiler.name
+  normalize: []
+  original_fieldset: pe
+  short: Name of the compiler
+  type: keyword
+file.pe.compiler.version:
+  dashed_name: file-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: file.pe.compiler.version
+  ignore_above: 1024
+  level: extended
+  name: compiler.version
+  normalize: []
+  original_fieldset: pe
+  short: Version of the compiler.
+  type: keyword
+file.pe.creation_date:
+  dashed_name: file-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: file.pe.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+file.pe.debug:
+  dashed_name: file-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
+
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: file.pe.debug
+  level: extended
+  name: debug
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Debug information
+  type: nested
+file.pe.debug.offset:
+  dashed_name: file-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: file.pe.debug.offset
+  ignore_above: 1024
+  level: extended
+  name: debug.offset
+  normalize: []
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+file.pe.debug.size:
+  dashed_name: file-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: file.pe.debug.size
+  format: bytes
+  level: extended
+  name: debug.size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the debug information.
+  type: long
+file.pe.debug.timestamp:
+  dashed_name: file-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: file.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+file.pe.debug.type:
+  dashed_name: file-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: file.pe.debug.type
+  ignore_above: 1024
+  level: extended
+  name: debug.type
+  normalize: []
+  original_fieldset: pe
+  short: Information type generated by the debug options.
+  type: keyword
 file.pe.description:
   dashed_name: file-pe-description
   description: Internal description of the file, provided at compile-time.
@@ -2908,6 +3398,31 @@ file.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
+file.pe.entry_point:
+  dashed_name: file-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: file.pe.entry_point
+  ignore_above: 1024
+  level: extended
+  name: entry_point
+  normalize: []
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
+  type: keyword
+file.pe.exports:
+  dashed_name: file-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: file.pe.exports
+  ignore_above: 1024
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
 file.pe.file_version:
   dashed_name: file-pe-file-version
   description: Internal version of the file, provided at compile-time.
@@ -2920,6 +3435,19 @@ file.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+file.pe.icon.hash.dhash:
+  dashed_name: file-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: file.pe.icon.hash.dhash
+  ignore_above: 1024
+  level: extended
+  name: icon.hash.dhash
+  normalize: []
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  type: keyword
 file.pe.imphash:
   dashed_name: file-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -2936,6 +3464,30 @@ file.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+file.pe.imports:
+  dashed_name: file-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: file.pe.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+file.pe.machine_type:
+  dashed_name: file-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: file.pe.machine_type
+  ignore_above: 1024
+  level: extended
+  name: machine_type
+  normalize: []
+  original_fieldset: pe
+  short: Machine type of the PE file.
+  type: keyword
 file.pe.original_file_name:
   dashed_name: file-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -2947,6 +3499,19 @@ file.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: wildcard
+file.pe.packers:
+  dashed_name: file-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: file.pe.packers
+  ignore_above: 1024
+  level: extended
+  name: packers
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of packers and tools used.
+  type: keyword
 file.pe.product:
   dashed_name: file-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -2959,38 +3524,215 @@ file.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
-file.size:
-  dashed_name: file-size
-  description: 'File size in bytes.
+file.pe.resources:
+  dashed_name: file-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
 
-    Only relevant when `file.type` is "file".'
-  example: 16384
-  flat_name: file.size
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: file.pe.resources
   level: extended
-  name: size
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+file.pe.resources.chi2:
+  dashed_name: file-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: file.pe.resources.chi2
+  level: extended
+  name: resources.chi2
   normalize: []
-  short: File size in bytes.
+  original_fieldset: pe
+  short: Chi-square probability distribution.
   type: long
-file.target_path:
-  dashed_name: file-target-path
-  description: Target path for symlinks.
-  flat_name: file.target_path
+file.pe.resources.entropy:
+  dashed_name: file-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: file.pe.resources.entropy
   level: extended
-  multi_fields:
-  - flat_name: file.target_path.text
-    name: text
-    norms: false
-    type: text
-  name: target_path
+  name: resources.entropy
   normalize: []
-  short: Target path for symlinks.
-  type: wildcard
-file.type:
-  dashed_name: file-type
-  description: File type (file, dir, or symlink).
-  example: file
-  flat_name: file.type
-  ignore_above: 1024
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+file.pe.resources.filetype:
+  dashed_name: file-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: file.pe.resources.filetype
+  ignore_above: 1024
+  level: extended
+  name: resources.filetype
+  normalize: []
+  original_fieldset: pe
+  short: File type of the resources section.
+  type: keyword
+file.pe.resources.language:
+  dashed_name: file-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: file.pe.resources.language
+  ignore_above: 1024
+  level: extended
+  name: resources.language
+  normalize: []
+  original_fieldset: pe
+  short: Language identification.
+  type: keyword
+file.pe.resources.sha256:
+  dashed_name: file-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: file.pe.resources.sha256
+  ignore_above: 1024
+  level: extended
+  name: resources.sha256
+  normalize: []
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
+  type: keyword
+file.pe.resources.type:
+  dashed_name: file-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: file.pe.resources.type
+  ignore_above: 1024
+  level: extended
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
+  type: keyword
+file.pe.rich_header.hash.md5:
+  dashed_name: file-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: file.pe.rich_header.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: rich_header.hash.md5
+  normalize: []
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
+  type: keyword
+file.pe.sections:
+  dashed_name: file-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: file.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+file.pe.sections.chi2:
+  dashed_name: file-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: file.pe.sections.chi2
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+file.pe.sections.entropy:
+  dashed_name: file-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: file.pe.sections.entropy
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+file.pe.sections.flags:
+  dashed_name: file-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: file.pe.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: pe
+  short: Section flags of the file.
+  type: keyword
+file.pe.sections.name:
+  dashed_name: file-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: file.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: Section names of the file.
+  type: keyword
+file.pe.sections.raw_size:
+  dashed_name: file-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: file.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+file.pe.sections.virtual_address:
+  dashed_name: file-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: file.pe.sections.virtual_address
+  format: bytes
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
+file.size:
+  dashed_name: file-size
+  description: 'File size in bytes.
+
+    Only relevant when `file.type` is "file".'
+  example: 16384
+  flat_name: file.size
+  level: extended
+  name: size
+  normalize: []
+  short: File size in bytes.
+  type: long
+file.target_path:
+  dashed_name: file-target-path
+  description: Target path for symlinks.
+  flat_name: file.target_path
+  level: extended
+  multi_fields:
+  - flat_name: file.target_path.text
+    name: text
+    norms: false
+    type: text
+  name: target_path
+  normalize: []
+  short: Target path for symlinks.
+  type: wildcard
+file.type:
+  dashed_name: file-type
+  description: File type (file, dir, or symlink).
+  example: file
+  flat_name: file.type
+  ignore_above: 1024
   level: extended
   name: type
   normalize: []
@@ -5682,6 +6424,18 @@ process.parent.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
+process.parent.pe.authentihash:
+  dashed_name: process-parent-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: process.parent.pe.authentihash
+  ignore_above: 1024
+  level: extended
+  name: authentihash
+  normalize: []
+  original_fieldset: pe
+  short: Authentihash of the PE file.
+  type: keyword
 process.parent.pe.company:
   dashed_name: process-parent-pe-company
   description: Internal company name of the file, provided at compile-time.
@@ -5694,6 +6448,113 @@ process.parent.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
+process.parent.pe.compile_timestamp:
+  dashed_name: process-parent-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: process.parent.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+process.parent.pe.compiler.name:
+  dashed_name: process-parent-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: process.parent.pe.compiler.name
+  ignore_above: 1024
+  level: extended
+  name: compiler.name
+  normalize: []
+  original_fieldset: pe
+  short: Name of the compiler
+  type: keyword
+process.parent.pe.compiler.version:
+  dashed_name: process-parent-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: process.parent.pe.compiler.version
+  ignore_above: 1024
+  level: extended
+  name: compiler.version
+  normalize: []
+  original_fieldset: pe
+  short: Version of the compiler.
+  type: keyword
+process.parent.pe.creation_date:
+  dashed_name: process-parent-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: process.parent.pe.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+process.parent.pe.debug:
+  dashed_name: process-parent-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
+
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: process.parent.pe.debug
+  level: extended
+  name: debug
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Debug information
+  type: nested
+process.parent.pe.debug.offset:
+  dashed_name: process-parent-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: process.parent.pe.debug.offset
+  ignore_above: 1024
+  level: extended
+  name: debug.offset
+  normalize: []
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+process.parent.pe.debug.size:
+  dashed_name: process-parent-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: process.parent.pe.debug.size
+  format: bytes
+  level: extended
+  name: debug.size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the debug information.
+  type: long
+process.parent.pe.debug.timestamp:
+  dashed_name: process-parent-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: process.parent.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+process.parent.pe.debug.type:
+  dashed_name: process-parent-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: process.parent.pe.debug.type
+  ignore_above: 1024
+  level: extended
+  name: debug.type
+  normalize: []
+  original_fieldset: pe
+  short: Information type generated by the debug options.
+  type: keyword
 process.parent.pe.description:
   dashed_name: process-parent-pe-description
   description: Internal description of the file, provided at compile-time.
@@ -5706,6 +6567,31 @@ process.parent.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
+process.parent.pe.entry_point:
+  dashed_name: process-parent-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: process.parent.pe.entry_point
+  ignore_above: 1024
+  level: extended
+  name: entry_point
+  normalize: []
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
+  type: keyword
+process.parent.pe.exports:
+  dashed_name: process-parent-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: process.parent.pe.exports
+  ignore_above: 1024
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
 process.parent.pe.file_version:
   dashed_name: process-parent-pe-file-version
   description: Internal version of the file, provided at compile-time.
@@ -5718,6 +6604,19 @@ process.parent.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+process.parent.pe.icon.hash.dhash:
+  dashed_name: process-parent-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: process.parent.pe.icon.hash.dhash
+  ignore_above: 1024
+  level: extended
+  name: icon.hash.dhash
+  normalize: []
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  type: keyword
 process.parent.pe.imphash:
   dashed_name: process-parent-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -5734,6 +6633,30 @@ process.parent.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: process.parent.pe.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+process.parent.pe.machine_type:
+  dashed_name: process-parent-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: process.parent.pe.machine_type
+  ignore_above: 1024
+  level: extended
+  name: machine_type
+  normalize: []
+  original_fieldset: pe
+  short: Machine type of the PE file.
+  type: keyword
 process.parent.pe.original_file_name:
   dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -5745,6 +6668,19 @@ process.parent.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: wildcard
+process.parent.pe.packers:
+  dashed_name: process-parent-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: process.parent.pe.packers
+  ignore_above: 1024
+  level: extended
+  name: packers
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of packers and tools used.
+  type: keyword
 process.parent.pe.product:
   dashed_name: process-parent-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5757,6 +6693,183 @@ process.parent.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+process.parent.pe.resources:
+  dashed_name: process-parent-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
+
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: process.parent.pe.resources
+  level: extended
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+process.parent.pe.resources.chi2:
+  dashed_name: process-parent-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: process.parent.pe.resources.chi2
+  level: extended
+  name: resources.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+process.parent.pe.resources.entropy:
+  dashed_name: process-parent-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: process.parent.pe.resources.entropy
+  level: extended
+  name: resources.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+process.parent.pe.resources.filetype:
+  dashed_name: process-parent-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: process.parent.pe.resources.filetype
+  ignore_above: 1024
+  level: extended
+  name: resources.filetype
+  normalize: []
+  original_fieldset: pe
+  short: File type of the resources section.
+  type: keyword
+process.parent.pe.resources.language:
+  dashed_name: process-parent-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: process.parent.pe.resources.language
+  ignore_above: 1024
+  level: extended
+  name: resources.language
+  normalize: []
+  original_fieldset: pe
+  short: Language identification.
+  type: keyword
+process.parent.pe.resources.sha256:
+  dashed_name: process-parent-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: process.parent.pe.resources.sha256
+  ignore_above: 1024
+  level: extended
+  name: resources.sha256
+  normalize: []
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
+  type: keyword
+process.parent.pe.resources.type:
+  dashed_name: process-parent-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: process.parent.pe.resources.type
+  ignore_above: 1024
+  level: extended
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
+  type: keyword
+process.parent.pe.rich_header.hash.md5:
+  dashed_name: process-parent-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: process.parent.pe.rich_header.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: rich_header.hash.md5
+  normalize: []
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
+  type: keyword
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: process.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+process.parent.pe.sections.chi2:
+  dashed_name: process-parent-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: process.parent.pe.sections.chi2
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: process.parent.pe.sections.entropy
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+process.parent.pe.sections.flags:
+  dashed_name: process-parent-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: process.parent.pe.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: pe
+  short: Section flags of the file.
+  type: keyword
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: process.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: Section names of the file.
+  type: keyword
+process.parent.pe.sections.raw_size:
+  dashed_name: process-parent-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: process.parent.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+process.parent.pe.sections.virtual_address:
+  dashed_name: process-parent-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: process.parent.pe.sections.virtual_address
+  format: bytes
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
 process.parent.pgid:
   dashed_name: process-parent-pgid
   description: Identifier of the group of processes the process belongs to.
@@ -5883,6 +6996,18 @@ process.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
+process.pe.authentihash:
+  dashed_name: process-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: process.pe.authentihash
+  ignore_above: 1024
+  level: extended
+  name: authentihash
+  normalize: []
+  original_fieldset: pe
+  short: Authentihash of the PE file.
+  type: keyword
 process.pe.company:
   dashed_name: process-pe-company
   description: Internal company name of the file, provided at compile-time.
@@ -5895,6 +7020,113 @@ process.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
+process.pe.compile_timestamp:
+  dashed_name: process-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: process.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+process.pe.compiler.name:
+  dashed_name: process-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: process.pe.compiler.name
+  ignore_above: 1024
+  level: extended
+  name: compiler.name
+  normalize: []
+  original_fieldset: pe
+  short: Name of the compiler
+  type: keyword
+process.pe.compiler.version:
+  dashed_name: process-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: process.pe.compiler.version
+  ignore_above: 1024
+  level: extended
+  name: compiler.version
+  normalize: []
+  original_fieldset: pe
+  short: Version of the compiler.
+  type: keyword
+process.pe.creation_date:
+  dashed_name: process-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: process.pe.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+process.pe.debug:
+  dashed_name: process-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
+
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: process.pe.debug
+  level: extended
+  name: debug
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Debug information
+  type: nested
+process.pe.debug.offset:
+  dashed_name: process-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: process.pe.debug.offset
+  ignore_above: 1024
+  level: extended
+  name: debug.offset
+  normalize: []
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+process.pe.debug.size:
+  dashed_name: process-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: process.pe.debug.size
+  format: bytes
+  level: extended
+  name: debug.size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the debug information.
+  type: long
+process.pe.debug.timestamp:
+  dashed_name: process-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: process.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+process.pe.debug.type:
+  dashed_name: process-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: process.pe.debug.type
+  ignore_above: 1024
+  level: extended
+  name: debug.type
+  normalize: []
+  original_fieldset: pe
+  short: Information type generated by the debug options.
+  type: keyword
 process.pe.description:
   dashed_name: process-pe-description
   description: Internal description of the file, provided at compile-time.
@@ -5907,6 +7139,31 @@ process.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
+process.pe.entry_point:
+  dashed_name: process-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: process.pe.entry_point
+  ignore_above: 1024
+  level: extended
+  name: entry_point
+  normalize: []
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
+  type: keyword
+process.pe.exports:
+  dashed_name: process-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: process.pe.exports
+  ignore_above: 1024
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
 process.pe.file_version:
   dashed_name: process-pe-file-version
   description: Internal version of the file, provided at compile-time.
@@ -5919,6 +7176,19 @@ process.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
+process.pe.icon.hash.dhash:
+  dashed_name: process-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: process.pe.icon.hash.dhash
+  ignore_above: 1024
+  level: extended
+  name: icon.hash.dhash
+  normalize: []
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  type: keyword
 process.pe.imphash:
   dashed_name: process-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
@@ -5935,6 +7205,30 @@ process.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
+process.pe.imports:
+  dashed_name: process-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: process.pe.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+process.pe.machine_type:
+  dashed_name: process-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: process.pe.machine_type
+  ignore_above: 1024
+  level: extended
+  name: machine_type
+  normalize: []
+  original_fieldset: pe
+  short: Machine type of the PE file.
+  type: keyword
 process.pe.original_file_name:
   dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
@@ -5946,6 +7240,19 @@ process.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: wildcard
+process.pe.packers:
+  dashed_name: process-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: process.pe.packers
+  ignore_above: 1024
+  level: extended
+  name: packers
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of packers and tools used.
+  type: keyword
 process.pe.product:
   dashed_name: process-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5958,6 +7265,183 @@ process.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
+process.pe.resources:
+  dashed_name: process-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
+
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: process.pe.resources
+  level: extended
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+process.pe.resources.chi2:
+  dashed_name: process-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: process.pe.resources.chi2
+  level: extended
+  name: resources.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+process.pe.resources.entropy:
+  dashed_name: process-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: process.pe.resources.entropy
+  level: extended
+  name: resources.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+process.pe.resources.filetype:
+  dashed_name: process-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: process.pe.resources.filetype
+  ignore_above: 1024
+  level: extended
+  name: resources.filetype
+  normalize: []
+  original_fieldset: pe
+  short: File type of the resources section.
+  type: keyword
+process.pe.resources.language:
+  dashed_name: process-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: process.pe.resources.language
+  ignore_above: 1024
+  level: extended
+  name: resources.language
+  normalize: []
+  original_fieldset: pe
+  short: Language identification.
+  type: keyword
+process.pe.resources.sha256:
+  dashed_name: process-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: process.pe.resources.sha256
+  ignore_above: 1024
+  level: extended
+  name: resources.sha256
+  normalize: []
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
+  type: keyword
+process.pe.resources.type:
+  dashed_name: process-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: process.pe.resources.type
+  ignore_above: 1024
+  level: extended
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
+  type: keyword
+process.pe.rich_header.hash.md5:
+  dashed_name: process-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: process.pe.rich_header.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: rich_header.hash.md5
+  normalize: []
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
+  type: keyword
+process.pe.sections:
+  dashed_name: process-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: process.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+process.pe.sections.chi2:
+  dashed_name: process-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: process.pe.sections.chi2
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: process.pe.sections.entropy
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+process.pe.sections.flags:
+  dashed_name: process-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: process.pe.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: pe
+  short: Section flags of the file.
+  type: keyword
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: process.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: Section names of the file.
+  type: keyword
+process.pe.sections.raw_size:
+  dashed_name: process-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: process.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+process.pe.sections.virtual_address:
+  dashed_name: process-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: process.pe.sections.virtual_address
+  format: bytes
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
 process.pgid:
   dashed_name: process-pgid
   description: Identifier of the group of processes the process belongs to.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index a0bb8d6a76..4ce5d1a3ea 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1749,6 +1749,18 @@ dll:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
+    dll.pe.authentihash:
+      dashed_name: dll-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: dll.pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      original_fieldset: pe
+      short: Authentihash of the PE file.
+      type: keyword
     dll.pe.company:
       dashed_name: dll-pe-company
       description: Internal company name of the file, provided at compile-time.
@@ -1761,6 +1773,113 @@ dll:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
+    dll.pe.compile_timestamp:
+      dashed_name: dll-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: dll.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    dll.pe.compiler.name:
+      dashed_name: dll-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: dll.pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      original_fieldset: pe
+      short: Name of the compiler
+      type: keyword
+    dll.pe.compiler.version:
+      dashed_name: dll-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: dll.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    dll.pe.creation_date:
+      dashed_name: dll-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: dll.pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: pe
+      short: Build or compile date.
+      type: date
+    dll.pe.debug:
+      dashed_name: dll-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: dll.pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    dll.pe.debug.offset:
+      dashed_name: dll-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: dll.pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
+      normalize: []
+      original_fieldset: pe
+      short: Debug offset information.
+      type: keyword
+    dll.pe.debug.size:
+      dashed_name: dll-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: dll.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
+      type: long
+    dll.pe.debug.timestamp:
+      dashed_name: dll-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: dll.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    dll.pe.debug.type:
+      dashed_name: dll-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: dll.pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      original_fieldset: pe
+      short: Information type generated by the debug options.
+      type: keyword
     dll.pe.description:
       dashed_name: dll-pe-description
       description: Internal description of the file, provided at compile-time.
@@ -1773,6 +1892,31 @@ dll:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
+    dll.pe.entry_point:
+      dashed_name: dll-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: dll.pe.entry_point
+      ignore_above: 1024
+      level: extended
+      name: entry_point
+      normalize: []
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
+      type: keyword
+    dll.pe.exports:
+      dashed_name: dll-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: dll.pe.exports
+      ignore_above: 1024
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
+      type: keyword
     dll.pe.file_version:
       dashed_name: dll-pe-file-version
       description: Internal version of the file, provided at compile-time.
@@ -1785,6 +1929,20 @@ dll:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    dll.pe.icon.hash.dhash:
+      dashed_name: dll-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: dll.pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
+      normalize: []
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
     dll.pe.imphash:
       dashed_name: dll-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -1801,6 +1959,30 @@ dll:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    dll.pe.imports:
+      dashed_name: dll-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: dll.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    dll.pe.machine_type:
+      dashed_name: dll-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: dll.pe.machine_type
+      ignore_above: 1024
+      level: extended
+      name: machine_type
+      normalize: []
+      original_fieldset: pe
+      short: Machine type of the PE file.
+      type: keyword
     dll.pe.original_file_name:
       dashed_name: dll-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -1812,6 +1994,19 @@ dll:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: wildcard
+    dll.pe.packers:
+      dashed_name: dll-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: dll.pe.packers
+      ignore_above: 1024
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
+      type: keyword
     dll.pe.product:
       dashed_name: dll-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -1824,6 +2019,183 @@ dll:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    dll.pe.resources:
+      dashed_name: dll-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: dll.pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    dll.pe.resources.chi2:
+      dashed_name: dll-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: dll.pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    dll.pe.resources.entropy:
+      dashed_name: dll-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: dll.pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    dll.pe.resources.filetype:
+      dashed_name: dll-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: dll.pe.resources.filetype
+      ignore_above: 1024
+      level: extended
+      name: resources.filetype
+      normalize: []
+      original_fieldset: pe
+      short: File type of the resources section.
+      type: keyword
+    dll.pe.resources.language:
+      dashed_name: dll-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: dll.pe.resources.language
+      ignore_above: 1024
+      level: extended
+      name: resources.language
+      normalize: []
+      original_fieldset: pe
+      short: Language identification.
+      type: keyword
+    dll.pe.resources.sha256:
+      dashed_name: dll-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: dll.pe.resources.sha256
+      ignore_above: 1024
+      level: extended
+      name: resources.sha256
+      normalize: []
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
+      type: keyword
+    dll.pe.resources.type:
+      dashed_name: dll-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: dll.pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    dll.pe.rich_header.hash.md5:
+      dashed_name: dll-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: dll.pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
+      normalize: []
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
+      type: keyword
+    dll.pe.sections:
+      dashed_name: dll-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: dll.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    dll.pe.sections.chi2:
+      dashed_name: dll-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: dll.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    dll.pe.sections.entropy:
+      dashed_name: dll-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: dll.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    dll.pe.sections.flags:
+      dashed_name: dll-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: dll.pe.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: pe
+      short: Section flags of the file.
+      type: keyword
+    dll.pe.sections.name:
+      dashed_name: dll-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: dll.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: Section names of the file.
+      type: keyword
+    dll.pe.sections.raw_size:
+      dashed_name: dll-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: dll.pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    dll.pe.sections.virtual_address:
+      dashed_name: dll-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: dll.pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
   group: 2
   name: dll
   nestings:
@@ -3332,6 +3704,18 @@ file:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
+    file.pe.authentihash:
+      dashed_name: file-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: file.pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      original_fieldset: pe
+      short: Authentihash of the PE file.
+      type: keyword
     file.pe.company:
       dashed_name: file-pe-company
       description: Internal company name of the file, provided at compile-time.
@@ -3344,6 +3728,113 @@ file:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
+    file.pe.compile_timestamp:
+      dashed_name: file-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: file.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    file.pe.compiler.name:
+      dashed_name: file-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: file.pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      original_fieldset: pe
+      short: Name of the compiler
+      type: keyword
+    file.pe.compiler.version:
+      dashed_name: file-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: file.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    file.pe.creation_date:
+      dashed_name: file-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: file.pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: pe
+      short: Build or compile date.
+      type: date
+    file.pe.debug:
+      dashed_name: file-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: file.pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    file.pe.debug.offset:
+      dashed_name: file-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: file.pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
+      normalize: []
+      original_fieldset: pe
+      short: Debug offset information.
+      type: keyword
+    file.pe.debug.size:
+      dashed_name: file-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: file.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
+      type: long
+    file.pe.debug.timestamp:
+      dashed_name: file-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: file.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    file.pe.debug.type:
+      dashed_name: file-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: file.pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      original_fieldset: pe
+      short: Information type generated by the debug options.
+      type: keyword
     file.pe.description:
       dashed_name: file-pe-description
       description: Internal description of the file, provided at compile-time.
@@ -3356,6 +3847,31 @@ file:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
+    file.pe.entry_point:
+      dashed_name: file-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: file.pe.entry_point
+      ignore_above: 1024
+      level: extended
+      name: entry_point
+      normalize: []
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
+      type: keyword
+    file.pe.exports:
+      dashed_name: file-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: file.pe.exports
+      ignore_above: 1024
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
+      type: keyword
     file.pe.file_version:
       dashed_name: file-pe-file-version
       description: Internal version of the file, provided at compile-time.
@@ -3368,6 +3884,20 @@ file:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    file.pe.icon.hash.dhash:
+      dashed_name: file-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: file.pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
+      normalize: []
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
     file.pe.imphash:
       dashed_name: file-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -3384,6 +3914,30 @@ file:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    file.pe.imports:
+      dashed_name: file-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: file.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    file.pe.machine_type:
+      dashed_name: file-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: file.pe.machine_type
+      ignore_above: 1024
+      level: extended
+      name: machine_type
+      normalize: []
+      original_fieldset: pe
+      short: Machine type of the PE file.
+      type: keyword
     file.pe.original_file_name:
       dashed_name: file-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -3395,6 +3949,19 @@ file:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: wildcard
+    file.pe.packers:
+      dashed_name: file-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: file.pe.packers
+      ignore_above: 1024
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
+      type: keyword
     file.pe.product:
       dashed_name: file-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -3407,38 +3974,215 @@ file:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-    file.size:
-      dashed_name: file-size
-      description: 'File size in bytes.
+    file.pe.resources:
+      dashed_name: file-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
 
-        Only relevant when `file.type` is "file".'
-      example: 16384
-      flat_name: file.size
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: file.pe.resources
       level: extended
-      name: size
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    file.pe.resources.chi2:
+      dashed_name: file-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: file.pe.resources.chi2
+      level: extended
+      name: resources.chi2
       normalize: []
-      short: File size in bytes.
+      original_fieldset: pe
+      short: Chi-square probability distribution.
       type: long
-    file.target_path:
-      dashed_name: file-target-path
-      description: Target path for symlinks.
-      flat_name: file.target_path
+    file.pe.resources.entropy:
+      dashed_name: file-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: file.pe.resources.entropy
       level: extended
-      multi_fields:
-      - flat_name: file.target_path.text
-        name: text
-        norms: false
-        type: text
-      name: target_path
+      name: resources.entropy
       normalize: []
-      short: Target path for symlinks.
-      type: wildcard
-    file.type:
-      dashed_name: file-type
-      description: File type (file, dir, or symlink).
-      example: file
-      flat_name: file.type
-      ignore_above: 1024
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    file.pe.resources.filetype:
+      dashed_name: file-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: file.pe.resources.filetype
+      ignore_above: 1024
+      level: extended
+      name: resources.filetype
+      normalize: []
+      original_fieldset: pe
+      short: File type of the resources section.
+      type: keyword
+    file.pe.resources.language:
+      dashed_name: file-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: file.pe.resources.language
+      ignore_above: 1024
+      level: extended
+      name: resources.language
+      normalize: []
+      original_fieldset: pe
+      short: Language identification.
+      type: keyword
+    file.pe.resources.sha256:
+      dashed_name: file-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: file.pe.resources.sha256
+      ignore_above: 1024
+      level: extended
+      name: resources.sha256
+      normalize: []
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
+      type: keyword
+    file.pe.resources.type:
+      dashed_name: file-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: file.pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    file.pe.rich_header.hash.md5:
+      dashed_name: file-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: file.pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
+      normalize: []
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
+      type: keyword
+    file.pe.sections:
+      dashed_name: file-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: file.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    file.pe.sections.chi2:
+      dashed_name: file-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: file.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    file.pe.sections.entropy:
+      dashed_name: file-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: file.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    file.pe.sections.flags:
+      dashed_name: file-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: file.pe.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: pe
+      short: Section flags of the file.
+      type: keyword
+    file.pe.sections.name:
+      dashed_name: file-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: file.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: Section names of the file.
+      type: keyword
+    file.pe.sections.raw_size:
+      dashed_name: file-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: file.pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    file.pe.sections.virtual_address:
+      dashed_name: file-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: file.pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
+    file.size:
+      dashed_name: file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: file.size
+      level: extended
+      name: size
+      normalize: []
+      short: File size in bytes.
+      type: long
+    file.target_path:
+      dashed_name: file-target-path
+      description: Target path for symlinks.
+      flat_name: file.target_path
+      level: extended
+      multi_fields:
+      - flat_name: file.target_path.text
+        name: text
+        norms: false
+        type: text
+      name: target_path
+      normalize: []
+      short: Target path for symlinks.
+      type: wildcard
+    file.type:
+      dashed_name: file-type
+      description: File type (file, dir, or symlink).
+      example: file
+      flat_name: file.type
+      ignore_above: 1024
       level: extended
       name: type
       normalize: []
@@ -6243,6 +6987,17 @@ pe:
       normalize: []
       short: CPU architecture target for the file.
       type: keyword
+    pe.authentihash:
+      dashed_name: pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      short: Authentihash of the PE file.
+      type: keyword
     pe.company:
       dashed_name: pe-company
       description: Internal company name of the file, provided at compile-time.
@@ -6254,6 +7009,104 @@ pe:
       normalize: []
       short: Internal company name of the file, provided at compile-time.
       type: keyword
+    pe.compile_timestamp:
+      dashed_name: pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      short: Compile timestamp of the PE file.
+      type: date
+    pe.compiler.name:
+      dashed_name: pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      short: Name of the compiler
+      type: keyword
+    pe.compiler.version:
+      dashed_name: pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      short: Version of the compiler.
+      type: keyword
+    pe.creation_date:
+      dashed_name: pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      short: Build or compile date.
+      type: date
+    pe.debug:
+      dashed_name: pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      short: Debug information
+      type: nested
+    pe.debug.offset:
+      dashed_name: pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
+      normalize: []
+      short: Debug offset information.
+      type: keyword
+    pe.debug.size:
+      dashed_name: pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      short: Size of the debug information.
+      type: long
+    pe.debug.timestamp:
+      dashed_name: pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      short: Timestamp of the debug information.
+      type: date
+    pe.debug.type:
+      dashed_name: pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      short: Information type generated by the debug options.
+      type: keyword
     pe.description:
       dashed_name: pe-description
       description: Internal description of the file, provided at compile-time.
@@ -6265,6 +7118,29 @@ pe:
       normalize: []
       short: Internal description of the file, provided at compile-time.
       type: keyword
+    pe.entry_point:
+      dashed_name: pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: pe.entry_point
+      ignore_above: 1024
+      level: extended
+      name: entry_point
+      normalize: []
+      short: Relative byte offset to the base of the PE file.
+      type: keyword
+    pe.exports:
+      dashed_name: pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: pe.exports
+      ignore_above: 1024
+      level: extended
+      name: exports
+      normalize:
+      - array
+      short: List of symbols exported by PE
+      type: keyword
     pe.file_version:
       dashed_name: pe-file-version
       description: Internal version of the file, provided at compile-time.
@@ -6276,6 +7152,19 @@ pe:
       normalize: []
       short: Process name.
       type: keyword
+    pe.icon.hash.dhash:
+      dashed_name: pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
+      normalize: []
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
     pe.imphash:
       dashed_name: pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -6291,6 +7180,28 @@ pe:
       normalize: []
       short: A hash of the imports in a PE file.
       type: keyword
+    pe.imports:
+      dashed_name: pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      short: List of all imported functions
+      type: flattened
+    pe.machine_type:
+      dashed_name: pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: pe.machine_type
+      ignore_above: 1024
+      level: extended
+      name: machine_type
+      normalize: []
+      short: Machine type of the PE file.
+      type: keyword
     pe.original_file_name:
       dashed_name: pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -6301,6 +7212,18 @@ pe:
       normalize: []
       short: Internal name of the file, provided at compile-time.
       type: wildcard
+    pe.packers:
+      dashed_name: pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: pe.packers
+      ignore_above: 1024
+      level: extended
+      name: packers
+      normalize:
+      - array
+      short: List of packers and tools used.
+      type: keyword
     pe.product:
       dashed_name: pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6312,6 +7235,168 @@ pe:
       normalize: []
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    pe.resources:
+      dashed_name: pe-resources
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      short: PE resource information
+      type: nested
+    pe.resources.chi2:
+      dashed_name: pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      short: Chi-square probability distribution.
+      type: long
+    pe.resources.entropy:
+      dashed_name: pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    pe.resources.filetype:
+      dashed_name: pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: pe.resources.filetype
+      ignore_above: 1024
+      level: extended
+      name: resources.filetype
+      normalize: []
+      short: File type of the resources section.
+      type: keyword
+    pe.resources.language:
+      dashed_name: pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: pe.resources.language
+      ignore_above: 1024
+      level: extended
+      name: resources.language
+      normalize: []
+      short: Language identification.
+      type: keyword
+    pe.resources.sha256:
+      dashed_name: pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: pe.resources.sha256
+      ignore_above: 1024
+      level: extended
+      name: resources.sha256
+      normalize: []
+      short: SHA256 hash of resources section.
+      type: keyword
+    pe.resources.type:
+      dashed_name: pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      short: List of resource types.
+      type: keyword
+    pe.rich_header.hash.md5:
+      dashed_name: pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
+      normalize: []
+      short: MD5 hash of the header for the PE file.
+      type: keyword
+    pe.sections:
+      dashed_name: pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      short: Data about sections of the compiled binary PE
+      type: nested
+    pe.sections.chi2:
+      dashed_name: pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      short: Chi-square probability distribution.
+      type: long
+    pe.sections.entropy:
+      dashed_name: pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      short: Measurement of entropy randomness in the file.
+      type: float
+    pe.sections.flags:
+      dashed_name: pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: pe.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      short: Section flags of the file.
+      type: keyword
+    pe.sections.name:
+      dashed_name: pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      short: Section names of the file.
+      type: keyword
+    pe.sections.raw_size:
+      dashed_name: pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    pe.sections.virtual_address:
+      dashed_name: pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      short: Virtual address available to the file.
+      type: long
   group: 2
   name: pe
   prefix: pe.
@@ -6824,6 +7909,18 @@ process:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
+    process.parent.pe.authentihash:
+      dashed_name: process-parent-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: process.parent.pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      original_fieldset: pe
+      short: Authentihash of the PE file.
+      type: keyword
     process.parent.pe.company:
       dashed_name: process-parent-pe-company
       description: Internal company name of the file, provided at compile-time.
@@ -6836,6 +7933,113 @@ process:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
+    process.parent.pe.compile_timestamp:
+      dashed_name: process-parent-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: process.parent.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    process.parent.pe.compiler.name:
+      dashed_name: process-parent-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: process.parent.pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      original_fieldset: pe
+      short: Name of the compiler
+      type: keyword
+    process.parent.pe.compiler.version:
+      dashed_name: process-parent-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: process.parent.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    process.parent.pe.creation_date:
+      dashed_name: process-parent-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: process.parent.pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: pe
+      short: Build or compile date.
+      type: date
+    process.parent.pe.debug:
+      dashed_name: process-parent-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: process.parent.pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    process.parent.pe.debug.offset:
+      dashed_name: process-parent-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: process.parent.pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
+      normalize: []
+      original_fieldset: pe
+      short: Debug offset information.
+      type: keyword
+    process.parent.pe.debug.size:
+      dashed_name: process-parent-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: process.parent.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
+      type: long
+    process.parent.pe.debug.timestamp:
+      dashed_name: process-parent-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: process.parent.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    process.parent.pe.debug.type:
+      dashed_name: process-parent-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: process.parent.pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      original_fieldset: pe
+      short: Information type generated by the debug options.
+      type: keyword
     process.parent.pe.description:
       dashed_name: process-parent-pe-description
       description: Internal description of the file, provided at compile-time.
@@ -6848,6 +8052,31 @@ process:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
+    process.parent.pe.entry_point:
+      dashed_name: process-parent-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: process.parent.pe.entry_point
+      ignore_above: 1024
+      level: extended
+      name: entry_point
+      normalize: []
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
+      type: keyword
+    process.parent.pe.exports:
+      dashed_name: process-parent-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: process.parent.pe.exports
+      ignore_above: 1024
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
+      type: keyword
     process.parent.pe.file_version:
       dashed_name: process-parent-pe-file-version
       description: Internal version of the file, provided at compile-time.
@@ -6860,6 +8089,20 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    process.parent.pe.icon.hash.dhash:
+      dashed_name: process-parent-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: process.parent.pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
+      normalize: []
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
     process.parent.pe.imphash:
       dashed_name: process-parent-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -6876,6 +8119,30 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: process.parent.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    process.parent.pe.machine_type:
+      dashed_name: process-parent-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: process.parent.pe.machine_type
+      ignore_above: 1024
+      level: extended
+      name: machine_type
+      normalize: []
+      original_fieldset: pe
+      short: Machine type of the PE file.
+      type: keyword
     process.parent.pe.original_file_name:
       dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -6887,6 +8154,19 @@ process:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: wildcard
+    process.parent.pe.packers:
+      dashed_name: process-parent-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: process.parent.pe.packers
+      ignore_above: 1024
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
+      type: keyword
     process.parent.pe.product:
       dashed_name: process-parent-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -6899,6 +8179,183 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    process.parent.pe.resources:
+      dashed_name: process-parent-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: process.parent.pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    process.parent.pe.resources.chi2:
+      dashed_name: process-parent-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: process.parent.pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    process.parent.pe.resources.entropy:
+      dashed_name: process-parent-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: process.parent.pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    process.parent.pe.resources.filetype:
+      dashed_name: process-parent-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: process.parent.pe.resources.filetype
+      ignore_above: 1024
+      level: extended
+      name: resources.filetype
+      normalize: []
+      original_fieldset: pe
+      short: File type of the resources section.
+      type: keyword
+    process.parent.pe.resources.language:
+      dashed_name: process-parent-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: process.parent.pe.resources.language
+      ignore_above: 1024
+      level: extended
+      name: resources.language
+      normalize: []
+      original_fieldset: pe
+      short: Language identification.
+      type: keyword
+    process.parent.pe.resources.sha256:
+      dashed_name: process-parent-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: process.parent.pe.resources.sha256
+      ignore_above: 1024
+      level: extended
+      name: resources.sha256
+      normalize: []
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
+      type: keyword
+    process.parent.pe.resources.type:
+      dashed_name: process-parent-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: process.parent.pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    process.parent.pe.rich_header.hash.md5:
+      dashed_name: process-parent-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: process.parent.pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
+      normalize: []
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
+      type: keyword
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: process.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    process.parent.pe.sections.chi2:
+      dashed_name: process-parent-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: process.parent.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: process.parent.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    process.parent.pe.sections.flags:
+      dashed_name: process-parent-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: process.parent.pe.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: pe
+      short: Section flags of the file.
+      type: keyword
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: process.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: Section names of the file.
+      type: keyword
+    process.parent.pe.sections.raw_size:
+      dashed_name: process-parent-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: process.parent.pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    process.parent.pe.sections.virtual_address:
+      dashed_name: process-parent-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: process.parent.pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
     process.parent.pgid:
       dashed_name: process-parent-pgid
       description: Identifier of the group of processes the process belongs to.
@@ -7025,6 +8482,18 @@ process:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
+    process.pe.authentihash:
+      dashed_name: process-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: process.pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      original_fieldset: pe
+      short: Authentihash of the PE file.
+      type: keyword
     process.pe.company:
       dashed_name: process-pe-company
       description: Internal company name of the file, provided at compile-time.
@@ -7037,6 +8506,113 @@ process:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
+    process.pe.compile_timestamp:
+      dashed_name: process-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: process.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    process.pe.compiler.name:
+      dashed_name: process-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: process.pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      original_fieldset: pe
+      short: Name of the compiler
+      type: keyword
+    process.pe.compiler.version:
+      dashed_name: process-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: process.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    process.pe.creation_date:
+      dashed_name: process-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: process.pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: pe
+      short: Build or compile date.
+      type: date
+    process.pe.debug:
+      dashed_name: process-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: process.pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    process.pe.debug.offset:
+      dashed_name: process-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: process.pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
+      normalize: []
+      original_fieldset: pe
+      short: Debug offset information.
+      type: keyword
+    process.pe.debug.size:
+      dashed_name: process-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: process.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
+      type: long
+    process.pe.debug.timestamp:
+      dashed_name: process-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: process.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    process.pe.debug.type:
+      dashed_name: process-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: process.pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      original_fieldset: pe
+      short: Information type generated by the debug options.
+      type: keyword
     process.pe.description:
       dashed_name: process-pe-description
       description: Internal description of the file, provided at compile-time.
@@ -7049,6 +8625,31 @@ process:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
+    process.pe.entry_point:
+      dashed_name: process-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: process.pe.entry_point
+      ignore_above: 1024
+      level: extended
+      name: entry_point
+      normalize: []
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
+      type: keyword
+    process.pe.exports:
+      dashed_name: process-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: process.pe.exports
+      ignore_above: 1024
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
+      type: keyword
     process.pe.file_version:
       dashed_name: process-pe-file-version
       description: Internal version of the file, provided at compile-time.
@@ -7061,6 +8662,20 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
+    process.pe.icon.hash.dhash:
+      dashed_name: process-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: process.pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
+      normalize: []
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
     process.pe.imphash:
       dashed_name: process-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
@@ -7077,6 +8692,30 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
+    process.pe.imports:
+      dashed_name: process-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: process.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    process.pe.machine_type:
+      dashed_name: process-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: process.pe.machine_type
+      ignore_above: 1024
+      level: extended
+      name: machine_type
+      normalize: []
+      original_fieldset: pe
+      short: Machine type of the PE file.
+      type: keyword
     process.pe.original_file_name:
       dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
@@ -7088,6 +8727,19 @@ process:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: wildcard
+    process.pe.packers:
+      dashed_name: process-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: process.pe.packers
+      ignore_above: 1024
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
+      type: keyword
     process.pe.product:
       dashed_name: process-pe-product
       description: Internal product name of the file, provided at compile-time.
@@ -7100,6 +8752,183 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
+    process.pe.resources:
+      dashed_name: process-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: process.pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    process.pe.resources.chi2:
+      dashed_name: process-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: process.pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    process.pe.resources.entropy:
+      dashed_name: process-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: process.pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    process.pe.resources.filetype:
+      dashed_name: process-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: process.pe.resources.filetype
+      ignore_above: 1024
+      level: extended
+      name: resources.filetype
+      normalize: []
+      original_fieldset: pe
+      short: File type of the resources section.
+      type: keyword
+    process.pe.resources.language:
+      dashed_name: process-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: process.pe.resources.language
+      ignore_above: 1024
+      level: extended
+      name: resources.language
+      normalize: []
+      original_fieldset: pe
+      short: Language identification.
+      type: keyword
+    process.pe.resources.sha256:
+      dashed_name: process-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: process.pe.resources.sha256
+      ignore_above: 1024
+      level: extended
+      name: resources.sha256
+      normalize: []
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
+      type: keyword
+    process.pe.resources.type:
+      dashed_name: process-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: process.pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    process.pe.rich_header.hash.md5:
+      dashed_name: process-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: process.pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
+      normalize: []
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
+      type: keyword
+    process.pe.sections:
+      dashed_name: process-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: process.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    process.pe.sections.chi2:
+      dashed_name: process-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: process.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: process.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    process.pe.sections.flags:
+      dashed_name: process-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: process.pe.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: pe
+      short: Section flags of the file.
+      type: keyword
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: process.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: Section names of the file.
+      type: keyword
+    process.pe.sections.raw_size:
+      dashed_name: process-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: process.pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    process.pe.sections.virtual_address:
+      dashed_name: process-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: process.pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
     process.pgid:
       dashed_name: process-pgid
       description: Identifier of the group of processes the process belongs to.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 451c03c849..ae2eb9f34b 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -568,28 +568,164 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "authentihash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "company": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "compile_timestamp": {
+                "type": "date"
+              },
+              "compiler": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "debug": {
+                "properties": {
+                  "offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "size": {
+                    "type": "long"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
               "description": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entry_point": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exports": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "file_version": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "icon": {
+                "properties": {
+                  "hash": {
+                    "properties": {
+                      "dhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "imports": {
+                "type": "flattened"
+              },
+              "machine_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "original_file_name": {
                 "type": "wildcard"
               },
+              "packers": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "resources": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "filetype": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "language": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "rich_header": {
+                "properties": {
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "float"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw_size": {
+                    "type": "long"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           }
@@ -926,28 +1062,164 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "authentihash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "company": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "compile_timestamp": {
+                "type": "date"
+              },
+              "compiler": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "debug": {
+                "properties": {
+                  "offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "size": {
+                    "type": "long"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
               "description": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entry_point": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exports": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "file_version": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "icon": {
+                "properties": {
+                  "hash": {
+                    "properties": {
+                      "dhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "imports": {
+                "type": "flattened"
+              },
+              "machine_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "original_file_name": {
                 "type": "wildcard"
               },
+              "packers": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "resources": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "filetype": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "language": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "rich_header": {
+                "properties": {
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "float"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw_size": {
+                    "type": "long"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           },
@@ -2009,28 +2281,164 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "authentihash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "company": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "compile_timestamp": {
+                    "type": "date"
+                  },
+                  "compiler": {
+                    "properties": {
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "debug": {
+                    "properties": {
+                      "offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "size": {
+                        "type": "long"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
                   "description": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "entry_point": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exports": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "file_version": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "icon": {
+                    "properties": {
+                      "hash": {
+                        "properties": {
+                          "dhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
                   "imphash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "machine_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "original_file_name": {
                     "type": "wildcard"
                   },
+                  "packers": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "product": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "resources": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "filetype": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "language": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "rich_header": {
+                    "properties": {
+                      "hash": {
+                        "properties": {
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "float"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw_size": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
                   }
                 }
               },
@@ -2085,28 +2493,164 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "authentihash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "company": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "compile_timestamp": {
+                "type": "date"
+              },
+              "compiler": {
+                "properties": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "debug": {
+                "properties": {
+                  "offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "size": {
+                    "type": "long"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
               "description": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entry_point": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exports": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "file_version": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "icon": {
+                "properties": {
+                  "hash": {
+                    "properties": {
+                      "dhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
               "imphash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "imports": {
+                "type": "flattened"
+              },
+              "machine_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "original_file_name": {
                 "type": "wildcard"
               },
+              "packers": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "product": {
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "resources": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "filetype": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "language": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "rich_header": {
+                "properties": {
+                  "hash": {
+                    "properties": {
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "float"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw_size": {
+                    "type": "long"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
               }
             }
           },
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
index f791052452..5e7702fb92 100644
--- a/experimental/generated/elasticsearch/component/dll.json
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -67,28 +67,164 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "authentihash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "company": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "compile_timestamp": {
+                  "type": "date"
+                },
+                "compiler": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "creation_date": {
+                  "type": "date"
+                },
+                "debug": {
+                  "properties": {
+                    "offset": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "size": {
+                      "type": "long"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
                 "description": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entry_point": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exports": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "file_version": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "icon": {
+                  "properties": {
+                    "hash": {
+                      "properties": {
+                        "dhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "imports": {
+                  "type": "flattened"
+                },
+                "machine_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "original_file_name": {
                   "type": "wildcard"
                 },
+                "packers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "resources": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "filetype": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "language": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "rich_header": {
+                  "properties": {
+                    "hash": {
+                      "properties": {
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                },
+                "sections": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "float"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw_size": {
+                      "type": "long"
+                    },
+                    "virtual_address": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             }
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index 0ae17a7b92..5a5d4de0df 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -127,28 +127,164 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "authentihash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "company": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "compile_timestamp": {
+                  "type": "date"
+                },
+                "compiler": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "creation_date": {
+                  "type": "date"
+                },
+                "debug": {
+                  "properties": {
+                    "offset": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "size": {
+                      "type": "long"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
                 "description": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entry_point": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exports": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "file_version": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "icon": {
+                  "properties": {
+                    "hash": {
+                      "properties": {
+                        "dhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "imports": {
+                  "type": "flattened"
+                },
+                "machine_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "original_file_name": {
                   "type": "wildcard"
                 },
+                "packers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "resources": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "filetype": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "language": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "rich_header": {
+                  "properties": {
+                    "hash": {
+                      "properties": {
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                },
+                "sections": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "float"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw_size": {
+                      "type": "long"
+                    },
+                    "virtual_address": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             },
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index ed0330dafa..c5747746c8 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -188,28 +188,164 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "authentihash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "company": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "compile_timestamp": {
+                      "type": "date"
+                    },
+                    "compiler": {
+                      "properties": {
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "debug": {
+                      "properties": {
+                        "offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "size": {
+                          "type": "long"
+                        },
+                        "timestamp": {
+                          "type": "date"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
                     "description": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "entry_point": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exports": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "file_version": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "icon": {
+                      "properties": {
+                        "hash": {
+                          "properties": {
+                            "dhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    },
                     "imphash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "machine_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "original_file_name": {
                       "type": "wildcard"
                     },
+                    "packers": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "product": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "resources": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "filetype": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "language": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "rich_header": {
+                      "properties": {
+                        "hash": {
+                          "properties": {
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "float"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw_size": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
                     }
                   }
                 },
@@ -264,28 +400,164 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "authentihash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "company": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "compile_timestamp": {
+                  "type": "date"
+                },
+                "compiler": {
+                  "properties": {
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "creation_date": {
+                  "type": "date"
+                },
+                "debug": {
+                  "properties": {
+                    "offset": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "size": {
+                      "type": "long"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
                 "description": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entry_point": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exports": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "file_version": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "icon": {
+                  "properties": {
+                    "hash": {
+                      "properties": {
+                        "dhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                },
                 "imphash": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "imports": {
+                  "type": "flattened"
+                },
+                "machine_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "original_file_name": {
                   "type": "wildcard"
                 },
+                "packers": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "product": {
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "resources": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "filetype": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "language": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "rich_header": {
+                  "properties": {
+                    "hash": {
+                      "properties": {
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                },
+                "sections": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "float"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw_size": {
+                      "type": "long"
+                    },
+                    "virtual_address": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
                 }
               }
             },
diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml
index 77a0574348..9ed4b4da8c 100644
--- a/experimental/schemas/pe.yml
+++ b/experimental/schemas/pe.yml
@@ -3,3 +3,228 @@
   fields:
     - name: original_file_name
       type: wildcard
+
+    - name: icon.hash.dhash
+      level: extended
+      type: keyword
+      description: >
+        Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+
+      example: b806e17c8e330d82
+
+    - name: debug
+      level: extended
+      type: nested
+      short: Debug information
+      description: >
+        An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.
+      normalize:
+        - array
+
+    - name: debug.offset
+      level: extended
+      type: keyword
+      description: Debug offset information.
+      example: 1296336
+
+    - name: debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+
+    - name: debug.type
+      level: extended
+      type: keyword
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+
+    - name: debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: "2020-11-05T17:25:47.000Z"
+
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }'
+
+    - name: sections
+      level: extended
+      short: Data about sections of the compiled binary PE
+      description: >
+        Data about sections of compiled binary PE
+      type: nested
+      normalize:
+        - array
+
+    - name: sections.chi2
+      level: extended
+      description: Chi-square probability distribution.
+      type: long
+      example: 3027194
+
+    - name: sections.virtual_address
+      level: extended
+      description: Virtual address available to the file.
+      type: long
+      format: bytes
+      example: 8192
+
+    - name: sections.entropy
+      level: extended
+      description: Measurement of entropy randomness in the file.
+      type: float
+      example: 6.24
+
+    - name: sections.flags
+      level: extended
+      description: Section flags of the file.
+      type: keyword
+      example: rx
+
+    - name: sections.name
+      level: extended
+      description: Section names of the file.
+      type: keyword
+      example: .text, .data
+
+    - name: sections.raw_size
+      level: extended
+      description: Size of the section or the dize of the initialized data on disk.
+      type: long
+      format: bytes
+      example: 198144
+
+    - name: resources
+      level: extended
+      type: nested
+      short: PE resource information
+      description: >
+        An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.
+      normalize:
+        - array
+
+    - name: resources.chi2
+      level: extended
+      description: Chi-square probability distribution.
+      type: long
+      example: -1
+
+    - name: resources.filetype
+      level: extended
+      description: File type of the resources section.
+      type: keyword
+      example: Data
+
+    - name: resources.entropy
+      level: extended
+      description: Measurement of entropy randomness in the resources section.
+      type: long
+      example: 0, 1
+
+    - name: resources.sha256
+      level: extended
+      description: SHA256 hash of resources section.
+      type: keyword
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+
+    - name: resources.language
+      level: extended
+      description: Language identification.
+      type: keyword
+      example: "CHINESE SIMPLIFIED"
+
+    - name: resources.type
+      level: extended
+      type: keyword
+      short: List of resource types.
+      description: >
+        Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      normalize:
+        - array
+
+    - name: exports
+      level: extended
+      type: keyword
+      description: >
+        List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      normalize:
+        - array
+
+    - name: creation_date
+      level: extended
+      short: Build or compile date.
+      description: >
+        Extracted when possible from the file's metadata. Indicates when it was
+        built or compiled. It can also be faked by malware creators.
+      type: date
+      example: "2020-11-05T17:25:47.000Z"
+
+    - name: authentihash
+      level: extended
+      description: >
+        Authentihash of the PE file.
+      type: keyword
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+
+    - name: compile_timestamp
+      level: extended
+      description: >
+        Compile timestamp of the PE file.
+      type: date
+      example: "2020-11-05T17:25:47.000Z"
+
+    - name: compiler.name
+      level: extended
+      type: keyword
+      description: >
+        Name of the compiler
+      example: Clang
+
+    - name: compiler.version
+      level: extended
+      type: keyword
+      description: >
+        Version of the compiler.
+      example: 11.0.0
+
+    - name: rich_header.hash.md5
+      level: extended
+      type: keyword
+      description: >
+        MD5 hash of the header for the PE file.
+
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+
+    - name: entry_point
+      level: extended
+      description: >
+        Relative byte offset to the base of the PE file.
+      type: keyword
+      example: 25856
+
+    - name: machine_type
+      level: extended
+      description: >
+        Machine type of the PE file.
+      type: keyword
+      example: "Intel 386 or later, and compatibles"
+
+    - name: packers
+      level: extended
+      description: >
+        List of packers and tools used.
+      type: keyword
+      example: '["ASPack v2.12", ".NET executable"]'
+      normalize:
+        - array

From 16a60ec7f0eeb1e8fb62687cf5ba3709881fae79 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 17 Feb 2021 21:53:59 -0600
Subject: [PATCH 80/90] Add 2 fields to code_signature (#1269) (#1272)

Co-authored-by: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
---
 CHANGELOG.next.md                             |   1 +
 code/go/ecs/code_signature.go                 |  10 ++
 docs/field-details.asciidoc                   |  36 +++++
 experimental/generated/beats/fields.ecs.yml   | 100 ++++++++++++
 experimental/generated/csv/fields.csv         |   8 +
 experimental/generated/ecs/ecs_flat.yml       | 120 ++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 148 ++++++++++++++++++
 .../generated/elasticsearch/7/template.json   |  32 ++++
 .../elasticsearch/component/dll.json          |   8 +
 .../elasticsearch/component/file.json         |   8 +
 .../elasticsearch/component/process.json      |  16 ++
 generated/beats/fields.ecs.yml                | 100 ++++++++++++
 generated/csv/fields.csv                      |   8 +
 generated/ecs/ecs_flat.yml                    | 120 ++++++++++++++
 generated/ecs/ecs_nested.yml                  | 148 ++++++++++++++++++
 generated/elasticsearch/6/template.json       |  32 ++++
 generated/elasticsearch/7/template.json       |  32 ++++
 generated/elasticsearch/component/dll.json    |   8 +
 generated/elasticsearch/component/file.json   |   8 +
 .../elasticsearch/component/process.json      |  16 ++
 schemas/code_signature.yml                    |  22 +++
 21 files changed, 981 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 8fe7df718f..bb9e931c49 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -23,6 +23,7 @@ Thanks, you're awesome :-) -->
 * Added additional host fields. #1248
 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
 * Extended `pe` fields added to experimental schema. #1256
+* Added `code_signature.team_id`, `code_signature.signing_id`. #1249
 
 #### Improvements
 
diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go
index df61c3b935..c13152941d 100644
--- a/code/go/ecs/code_signature.go
+++ b/code/go/ecs/code_signature.go
@@ -43,4 +43,14 @@ type CodeSignature struct {
 	// validity or trust status. Leave unpopulated if the validity or trust of
 	// the certificate was unchecked.
 	Status string `ecs:"status"`
+
+	// The team identifier used to sign the process.
+	// This is used to identify the team or vendor of a software product. The
+	// field is relevant to Apple *OS only.
+	TeamID string `ecs:"team_id"`
+
+	// The identifier used to sign the process.
+	// This is used to identify the application manufactured by a software
+	// vendor. The field is relevant to Apple *OS only.
+	SigningID string `ecs:"signing_id"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 56ec0e8bbe..18fd6dd687 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -782,6 +782,24 @@ example: `true`
 
 // ===============================================================
 
+|
+[[field-code-signature-signing-id]]
+<<field-code-signature-signing-id, code_signature.signing_id>>
+
+| The identifier used to sign the process.
+
+This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+
+
+example: `com.apple.xpc.proxy`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-status]]
 <<field-code-signature-status, code_signature.status>>
@@ -816,6 +834,24 @@ example: `Microsoft Corporation`
 
 // ===============================================================
 
+|
+[[field-code-signature-team-id]]
+<<field-code-signature-team-id, code_signature.team_id>>
+
+| The team identifier used to sign the process.
+
+This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+
+
+example: `EQHXZ8M8AV`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-trusted]]
 <<field-code-signature-trusted, code_signature.trusted>>
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index bad2a56e1b..1608380522 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -529,6 +529,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: status
       level: extended
       type: keyword
@@ -547,6 +557,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: trusted
       level: extended
       type: boolean
@@ -951,6 +971,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -969,6 +999,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -1846,6 +1886,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -1864,6 +1914,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -4196,6 +4256,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -4214,6 +4284,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -4343,6 +4423,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: parent.code_signature.status
       level: extended
       type: keyword
@@ -4361,6 +4451,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: parent.code_signature.trusted
       level: extended
       type: boolean
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 0bde23311a..e21b1815e0 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
@@ -208,8 +210,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
 1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
@@ -457,8 +461,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
@@ -477,8 +483,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index ee97af19e6..a166c0bc37 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1255,6 +1255,21 @@ dll.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+dll.code_signature.signing_id:
+  dashed_name: dll-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: dll.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 dll.code_signature.status:
   dashed_name: dll-code-signature-status
   description: 'Additional information about the certificate status.
@@ -1283,6 +1298,21 @@ dll.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+dll.code_signature.team_id:
+  dashed_name: dll-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: dll.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 dll.code_signature.trusted:
   dashed_name: dll-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
@@ -2954,6 +2984,21 @@ file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+file.code_signature.signing_id:
+  dashed_name: file-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: file.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 file.code_signature.status:
   dashed_name: file-code-signature-status
   description: 'Additional information about the certificate status.
@@ -2982,6 +3027,21 @@ file.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+file.code_signature.team_id:
+  dashed_name: file-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: file.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 file.code_signature.trusted:
   dashed_name: file-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
@@ -5977,6 +6037,21 @@ process.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.code_signature.signing_id:
+  dashed_name: process-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 process.code_signature.status:
   dashed_name: process-code-signature-status
   description: 'Additional information about the certificate status.
@@ -6005,6 +6080,21 @@ process.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+process.code_signature.team_id:
+  dashed_name: process-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 process.code_signature.trusted:
   dashed_name: process-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
@@ -6213,6 +6303,21 @@ process.parent.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.parent.code_signature.signing_id:
+  dashed_name: process-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 process.parent.code_signature.status:
   dashed_name: process-parent-code-signature-status
   description: 'Additional information about the certificate status.
@@ -6241,6 +6346,21 @@ process.parent.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+process.parent.code_signature.team_id:
+  dashed_name: process-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 process.parent.code_signature.trusted:
   dashed_name: process-parent-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 4ce5d1a3ea..5c39e8b51f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -880,6 +880,20 @@ code_signature:
       normalize: []
       short: Boolean to capture if a signature is present.
       type: boolean
+    code_signature.signing_id:
+      dashed_name: code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      short: The identifier used to sign the process.
+      type: keyword
     code_signature.status:
       dashed_name: code-signature-status
       description: 'Additional information about the certificate status.
@@ -906,6 +920,20 @@ code_signature:
       normalize: []
       short: Subject name of the code signer
       type: keyword
+    code_signature.team_id:
+      dashed_name: code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      short: The team identifier used to sign the process.
+      type: keyword
     code_signature.trusted:
       dashed_name: code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -1601,6 +1629,21 @@ dll:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    dll.code_signature.signing_id:
+      dashed_name: dll-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: dll.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     dll.code_signature.status:
       dashed_name: dll-code-signature-status
       description: 'Additional information about the certificate status.
@@ -1629,6 +1672,21 @@ dll:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    dll.code_signature.team_id:
+      dashed_name: dll-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: dll.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     dll.code_signature.trusted:
       dashed_name: dll-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -3403,6 +3461,21 @@ file:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    file.code_signature.signing_id:
+      dashed_name: file-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: file.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     file.code_signature.status:
       dashed_name: file-code-signature-status
       description: 'Additional information about the certificate status.
@@ -3431,6 +3504,21 @@ file:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    file.code_signature.team_id:
+      dashed_name: file-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: file.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     file.code_signature.trusted:
       dashed_name: file-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -7462,6 +7550,21 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.code_signature.signing_id:
+      dashed_name: process-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     process.code_signature.status:
       dashed_name: process-code-signature-status
       description: 'Additional information about the certificate status.
@@ -7490,6 +7593,21 @@ process:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    process.code_signature.team_id:
+      dashed_name: process-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     process.code_signature.trusted:
       dashed_name: process-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -7698,6 +7816,21 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.parent.code_signature.signing_id:
+      dashed_name: process-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     process.parent.code_signature.status:
       dashed_name: process-parent-code-signature-status
       description: 'Additional information about the certificate status.
@@ -7726,6 +7859,21 @@ process:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    process.parent.code_signature.team_id:
+      dashed_name: process-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     process.parent.code_signature.trusted:
       dashed_name: process-parent-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index ae2eb9f34b..0d50f26547 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -514,6 +514,10 @@
               "exists": {
                 "type": "boolean"
               },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -522,6 +526,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "trusted": {
                 "type": "boolean"
               },
@@ -955,6 +963,10 @@
               "exists": {
                 "type": "boolean"
               },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -963,6 +975,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "trusted": {
                 "type": "boolean"
               },
@@ -2113,6 +2129,10 @@
               "exists": {
                 "type": "boolean"
               },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2121,6 +2141,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "trusted": {
                 "type": "boolean"
               },
@@ -2201,6 +2225,10 @@
                   "exists": {
                     "type": "boolean"
                   },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "status": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -2209,6 +2237,10 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "trusted": {
                     "type": "boolean"
                   },
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
index 5e7702fb92..73857865a8 100644
--- a/experimental/generated/elasticsearch/component/dll.json
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -13,6 +13,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -21,6 +25,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index 5a5d4de0df..10df6dba11 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -20,6 +20,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -28,6 +32,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index c5747746c8..6433bd60cf 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -20,6 +20,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -28,6 +32,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
@@ -108,6 +116,10 @@
                     "exists": {
                       "type": "boolean"
                     },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "status": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -116,6 +128,10 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "trusted": {
                       "type": "boolean"
                     },
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4e6459e331..4c51a421e6 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -538,6 +538,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: status
       level: extended
       type: keyword
@@ -556,6 +566,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: trusted
       level: extended
       type: boolean
@@ -915,6 +935,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -933,6 +963,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -1606,6 +1646,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -1624,6 +1674,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -3562,6 +3622,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -3580,6 +3650,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -3712,6 +3792,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: parent.code_signature.status
       level: extended
       type: keyword
@@ -3730,6 +3820,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: parent.code_signature.trusted
       level: extended
       type: boolean
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 8048de1277..ad9d04f737 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -103,8 +103,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
@@ -174,8 +176,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
 1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev,true,file,file.created,date,extended,,,File creation time.
@@ -392,8 +396,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
@@ -412,8 +418,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 9057ad0999..d1b62aa903 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1224,6 +1224,21 @@ dll.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+dll.code_signature.signing_id:
+  dashed_name: dll-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: dll.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 dll.code_signature.status:
   dashed_name: dll-code-signature-status
   description: 'Additional information about the certificate status.
@@ -1252,6 +1267,21 @@ dll.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+dll.code_signature.team_id:
+  dashed_name: dll-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: dll.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 dll.code_signature.trusted:
   dashed_name: dll-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
@@ -2559,6 +2589,21 @@ file.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+file.code_signature.signing_id:
+  dashed_name: file-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: file.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 file.code_signature.status:
   dashed_name: file-code-signature-status
   description: 'Additional information about the certificate status.
@@ -2587,6 +2632,21 @@ file.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+file.code_signature.team_id:
+  dashed_name: file-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: file.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 file.code_signature.trusted:
   dashed_name: file-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
@@ -5233,6 +5293,21 @@ process.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.code_signature.signing_id:
+  dashed_name: process-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 process.code_signature.status:
   dashed_name: process-code-signature-status
   description: 'Additional information about the certificate status.
@@ -5261,6 +5336,21 @@ process.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+process.code_signature.team_id:
+  dashed_name: process-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 process.code_signature.trusted:
   dashed_name: process-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
@@ -5472,6 +5562,21 @@ process.parent.code_signature.exists:
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
+process.parent.code_signature.signing_id:
+  dashed_name: process-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
 process.parent.code_signature.status:
   dashed_name: process-parent-code-signature-status
   description: 'Additional information about the certificate status.
@@ -5500,6 +5605,21 @@ process.parent.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
+process.parent.code_signature.team_id:
+  dashed_name: process-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
 process.parent.code_signature.trusted:
   dashed_name: process-parent-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 482bcf618a..24ddb6be63 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -889,6 +889,20 @@ code_signature:
       normalize: []
       short: Boolean to capture if a signature is present.
       type: boolean
+    code_signature.signing_id:
+      dashed_name: code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      short: The identifier used to sign the process.
+      type: keyword
     code_signature.status:
       dashed_name: code-signature-status
       description: 'Additional information about the certificate status.
@@ -915,6 +929,20 @@ code_signature:
       normalize: []
       short: Subject name of the code signer
       type: keyword
+    code_signature.team_id:
+      dashed_name: code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      short: The team identifier used to sign the process.
+      type: keyword
     code_signature.trusted:
       dashed_name: code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -1548,6 +1576,21 @@ dll:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    dll.code_signature.signing_id:
+      dashed_name: dll-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: dll.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     dll.code_signature.status:
       dashed_name: dll-code-signature-status
       description: 'Additional information about the certificate status.
@@ -1576,6 +1619,21 @@ dll:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    dll.code_signature.team_id:
+      dashed_name: dll-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: dll.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     dll.code_signature.trusted:
       dashed_name: dll-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -2985,6 +3043,21 @@ file:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    file.code_signature.signing_id:
+      dashed_name: file-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: file.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     file.code_signature.status:
       dashed_name: file-code-signature-status
       description: 'Additional information about the certificate status.
@@ -3013,6 +3086,21 @@ file:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    file.code_signature.team_id:
+      dashed_name: file-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: file.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     file.code_signature.trusted:
       dashed_name: file-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -6357,6 +6445,21 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.code_signature.signing_id:
+      dashed_name: process-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     process.code_signature.status:
       dashed_name: process-code-signature-status
       description: 'Additional information about the certificate status.
@@ -6385,6 +6488,21 @@ process:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    process.code_signature.team_id:
+      dashed_name: process-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     process.code_signature.trusted:
       dashed_name: process-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
@@ -6596,6 +6714,21 @@ process:
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
+    process.parent.code_signature.signing_id:
+      dashed_name: process-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
     process.parent.code_signature.status:
       dashed_name: process-parent-code-signature-status
       description: 'Additional information about the certificate status.
@@ -6624,6 +6757,21 @@ process:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
+    process.parent.code_signature.team_id:
+      dashed_name: process-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
     process.parent.code_signature.trusted:
       dashed_name: process-parent-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index b126de6d78..02dc242340 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -517,6 +517,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -525,6 +529,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
@@ -829,6 +837,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -837,6 +849,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
@@ -1873,6 +1889,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1881,6 +1901,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
@@ -1964,6 +1988,10 @@
                     "exists": {
                       "type": "boolean"
                     },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "status": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1972,6 +2000,10 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "trusted": {
                       "type": "boolean"
                     },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index f70782f320..43a7d275c6 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -516,6 +516,10 @@
               "exists": {
                 "type": "boolean"
               },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -524,6 +528,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "trusted": {
                 "type": "boolean"
               },
@@ -828,6 +836,10 @@
               "exists": {
                 "type": "boolean"
               },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -836,6 +848,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "trusted": {
                 "type": "boolean"
               },
@@ -1872,6 +1888,10 @@
               "exists": {
                 "type": "boolean"
               },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "status": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1880,6 +1900,10 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "trusted": {
                 "type": "boolean"
               },
@@ -1963,6 +1987,10 @@
                   "exists": {
                     "type": "boolean"
                   },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "status": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -1971,6 +1999,10 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "trusted": {
                     "type": "boolean"
                   },
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index 00e5bc3428..29a41ba873 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -13,6 +13,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -21,6 +25,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index ddabf1bb60..fa355f9f35 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -20,6 +20,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -28,6 +32,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index 4983b405b0..42f1df4ba3 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -20,6 +20,10 @@
                 "exists": {
                   "type": "boolean"
                 },
+                "signing_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "status": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -28,6 +32,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "team_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "trusted": {
                   "type": "boolean"
                 },
@@ -111,6 +119,10 @@
                     "exists": {
                       "type": "boolean"
                     },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "status": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -119,6 +131,10 @@
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "trusted": {
                       "type": "boolean"
                     },
diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml
index 1b22434eb1..e86cf88827 100644
--- a/schemas/code_signature.yml
+++ b/schemas/code_signature.yml
@@ -57,3 +57,25 @@
         This is useful for logging cryptographic errors with the certificate validity or trust status.
         Leave unpopulated if the validity or trust of the certificate was unchecked.
       example: ERROR_UNTRUSTED_ROOT
+      
+    - name: team_id
+      level: extended
+      type: keyword
+      short: The team identifier used to sign the process.
+      description: >
+        The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product.
+        The field is relevant to Apple *OS only.
+      example: EQHXZ8M8AV
+      
+    - name: signing_id
+      level: extended
+      type: keyword
+      short: The identifier used to sign the process.
+      description: >
+        The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.
+      example: com.apple.xpc.proxy

From cc9ad492e79f0eedbe8c61868b28aaafa66e1759 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 17 Feb 2021 22:03:56 -0600
Subject: [PATCH 81/90] Stage 3 changes for RFC 0007 - remove beta attribute
 (#1271) (#1273)

---
 CHANGELOG.next.md                         |  4 ++++
 docs/field-details.asciidoc               | 15 ++++++---------
 experimental/generated/ecs/ecs_nested.yml | 12 +++---------
 generated/ecs/ecs_nested.yml              | 12 +++---------
 schemas/user.yml                          |  3 ---
 5 files changed, 16 insertions(+), 30 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index bb9e931c49..002b86386e 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -9,6 +9,10 @@ Thanks, you're awesome :-) -->
 ## Unreleased
 
 ### Schema Changes
+
+#### Improvements
+
+* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
 ### Tooling and Artifact Changes
 
 #### Breaking changes
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 18fd6dd687..c9f424e409 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -7990,16 +7990,14 @@ Note also that the `user` fields may be used directly at the root of the events.
 // ===============================================================
 
 
-| <<ecs-user,user.changes.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
-
-Fields to describe the user relevant to the event.
+| <<ecs-user,user.changes.*>>
+| Fields to describe the user relevant to the event.
 
 // ===============================================================
 
 
-| <<ecs-user,user.effective.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
-
-Fields to describe the user relevant to the event.
+| <<ecs-user,user.effective.*>>
+| Fields to describe the user relevant to the event.
 
 // ===============================================================
 
@@ -8010,9 +8008,8 @@ Fields to describe the user relevant to the event.
 // ===============================================================
 
 
-| <<ecs-user,user.target.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
-
-Fields to describe the user relevant to the event.
+| <<ecs-user,user.target.*>>
+| Fields to describe the user relevant to the event.
 
 // ===============================================================
 
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 5c39e8b51f..cd00f781a0 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -12570,31 +12570,25 @@ user:
       full: source.user
     - as: target
       at: user
-      beta: Reusing the user fields in this location is currently considered beta.
       full: user.target
     - as: effective
       at: user
-      beta: Reusing the user fields in this location is currently considered beta.
       full: user.effective
     - as: changes
       at: user
-      beta: Reusing the user fields in this location is currently considered beta.
       full: user.changes
     top_level: true
   reused_here:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
-  - beta: Reusing the user fields in this location is currently considered beta.
-    full: user.target
+  - full: user.target
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - beta: Reusing the user fields in this location is currently considered beta.
-    full: user.effective
+  - full: user.effective
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - beta: Reusing the user fields in this location is currently considered beta.
-    full: user.changes
+  - full: user.changes
     schema_name: user
     short: Fields to describe the user relevant to the event.
   short: Fields to describe the user relevant to the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 24ddb6be63..f1da0bd933 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10777,31 +10777,25 @@ user:
       full: source.user
     - as: target
       at: user
-      beta: Reusing the user fields in this location is currently considered beta.
       full: user.target
     - as: effective
       at: user
-      beta: Reusing the user fields in this location is currently considered beta.
       full: user.effective
     - as: changes
       at: user
-      beta: Reusing the user fields in this location is currently considered beta.
       full: user.changes
     top_level: true
   reused_here:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
-  - beta: Reusing the user fields in this location is currently considered beta.
-    full: user.target
+  - full: user.target
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - beta: Reusing the user fields in this location is currently considered beta.
-    full: user.effective
+  - full: user.effective
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - beta: Reusing the user fields in this location is currently considered beta.
-    full: user.changes
+  - full: user.changes
     schema_name: user
     short: Fields to describe the user relevant to the event.
   short: Fields to describe the user relevant to the event.
diff --git a/schemas/user.yml b/schemas/user.yml
index 0fe7a32411..ce5a45e816 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -20,13 +20,10 @@
       - source
       - at: user
         as: target
-        beta: Reusing the user fields in this location is currently considered beta.
       - at: user
         as: effective
-        beta: Reusing the user fields in this location is currently considered beta.
       - at: user
         as: changes
-        beta: Reusing the user fields in this location is currently considered beta.
 
       # TODO Temporarily commented out to simplify initial rewrite review
 

From 40ee8d0c01267ac55d1fccda730c21ff403eb468 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 17 Feb 2021 22:31:57 -0600
Subject: [PATCH 82/90] Stage 1 experimental changes for RFC 0008 -
 threat.indicator fields (#1268) (#1274)

---
 CHANGELOG.next.md                             |    1 +
 experimental/generated/beats/fields.ecs.yml   |  813 +++++++++
 experimental/generated/csv/fields.csv         |  112 ++
 experimental/generated/ecs/ecs_flat.yml       | 1350 ++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 1607 +++++++++++++++--
 .../generated/elasticsearch/7/template.json   |  492 +++++
 .../elasticsearch/component/threat.json       |  492 +++++
 experimental/schemas/as.yml                   |    4 +
 experimental/schemas/file.yml                 |    4 +
 experimental/schemas/geo.yml                  |    4 +
 experimental/schemas/hash.yml                 |    5 +
 experimental/schemas/pe.yml                   |    4 +
 experimental/schemas/registry.yml             |    4 +
 experimental/schemas/threat.yml               |  196 ++
 14 files changed, 4986 insertions(+), 102 deletions(-)
 create mode 100644 experimental/schemas/hash.yml
 create mode 100644 experimental/schemas/threat.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 002b86386e..a3c3517daf 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -28,6 +28,7 @@ Thanks, you're awesome :-) -->
 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
 * Extended `pe` fields added to experimental schema. #1256
 * Added `code_signature.team_id`, `code_signature.signing_id`. #1249
+* Add `threat.indicator` fields to experimental schema. #1268
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 1608380522..b3a81e12e2 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -6075,6 +6075,819 @@
         can be provided by detecting systems, evaluated at ingest time, or retrospectively
         tagged to events.
       example: MITRE ATT&CK
+    - name: indicator.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: indicator.as.organization.name
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: indicator.confidence
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Identifies the confidence rating assigned by the provider using\
+        \ STIX confidence scales.\nExpected values:\n  * Not Specified, None, Low,\
+        \ Medium, High\n  * 0-10\n  * Admirality Scale (1-6)\n  * DNI Scale (5-95)\n\
+        \  * WEP Scale (Impossible - Certain)"
+      example: High
+      default_field: false
+    - name: indicator.dataset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the name of specific dataset from the intelligence source.
+      example: threatintel.abusemalware
+      default_field: false
+    - name: indicator.description
+      level: extended
+      type: wildcard
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
+      default_field: false
+    - name: indicator.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies a threat indicator as a domain (irrespective of direction).
+      example: example.com
+      default_field: false
+    - name: indicator.email.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
+      default_field: false
+    - name: indicator.file.accessed
+      level: extended
+      type: date
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
+      default_field: false
+    - name: indicator.file.attributes
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
+      default_field: false
+    - name: indicator.file.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: indicator.file.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: indicator.file.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: indicator.file.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: indicator.file.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: indicator.file.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: indicator.file.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: indicator.file.created
+      level: extended
+      type: date
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
+      default_field: false
+    - name: indicator.file.ctime
+      level: extended
+      type: date
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      default_field: false
+    - name: indicator.file.device
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Device that is the source of the file.
+      example: sda
+      default_field: false
+    - name: indicator.file.directory
+      level: extended
+      type: wildcard
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
+      default_field: false
+    - name: indicator.file.drive_letter
+      level: extended
+      type: keyword
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
+      default_field: false
+    - name: indicator.file.extension
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+      default_field: false
+    - name: indicator.file.gid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group ID (GID) of the file.
+      example: '1001'
+      default_field: false
+    - name: indicator.file.group
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group name of the file.
+      example: alice
+      default_field: false
+    - name: indicator.file.inode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Inode representing the file in the filesystem.
+      example: '256383'
+      default_field: false
+    - name: indicator.file.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
+      default_field: false
+    - name: indicator.file.mode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mode of the file in octal representation.
+      example: '0640'
+      default_field: false
+    - name: indicator.file.mtime
+      level: extended
+      type: date
+      description: Last time the file content was modified.
+      default_field: false
+    - name: indicator.file.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the file including the extension, without the directory.
+      example: example.png
+      default_field: false
+    - name: indicator.file.owner
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File owner's username.
+      example: alice
+      default_field: false
+    - name: indicator.file.path
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
+      default_field: false
+    - name: indicator.file.size
+      level: extended
+      type: long
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      default_field: false
+    - name: indicator.file.target_path
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Target path for symlinks.
+      default_field: false
+    - name: indicator.file.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
+      default_field: false
+    - name: indicator.file.uid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      default_field: false
+    - name: indicator.first_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: indicator.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: indicator.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: indicator.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: indicator.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: indicator.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: indicator.geo.name
+      level: extended
+      type: wildcard
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: indicator.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: indicator.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: indicator.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: indicator.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: indicator.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: indicator.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: indicator.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: indicator.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: indicator.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: indicator.ip
+      level: extended
+      type: ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      default_field: false
+    - name: indicator.last_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.marking.tlp
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\
+        \  * White\n  * Green\n  * Amber\n  * Red"
+      example: White
+      default_field: false
+    - name: indicator.matched.atomic
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the atomic indicator that matched a local environment
+        endpoint or network event.
+      example: example.com
+      default_field: false
+    - name: indicator.matched.field
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the field of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: file.hash.sha256
+      default_field: false
+    - name: indicator.matched.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the type of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: domain-name
+      default_field: false
+    - name: indicator.module
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the name of specific module this data is coming from.
+      example: threatintel
+      default_field: false
+    - name: indicator.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: indicator.pe.authentihash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      default_field: false
+    - name: indicator.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: indicator.pe.compile_timestamp
+      level: extended
+      type: date
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.pe.compiler.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the compiler
+      example: Clang
+      default_field: false
+    - name: indicator.pe.compiler.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compiler.
+      example: 11.0.0
+      default_field: false
+    - name: indicator.pe.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.pe.debug
+      level: extended
+      type: nested
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      default_field: false
+    - name: indicator.pe.debug.offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Debug offset information.
+      example: 1296336
+      default_field: false
+    - name: indicator.pe.debug.size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the debug information.
+      example: 816
+      default_field: false
+    - name: indicator.pe.debug.timestamp
+      level: extended
+      type: date
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.pe.debug.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      default_field: false
+    - name: indicator.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: indicator.pe.entry_point
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      default_field: false
+    - name: indicator.pe.exports
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      default_field: false
+    - name: indicator.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: indicator.pe.icon.hash.dhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      default_field: false
+    - name: indicator.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: indicator.pe.imports
+      level: extended
+      type: flattened
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      default_field: false
+    - name: indicator.pe.machine_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      default_field: false
+    - name: indicator.pe.original_file_name
+      level: extended
+      type: wildcard
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: indicator.pe.packers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      default_field: false
+    - name: indicator.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
+    - name: indicator.pe.resources
+      level: extended
+      type: nested
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      default_field: false
+    - name: indicator.pe.resources.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: -1
+      default_field: false
+    - name: indicator.pe.resources.entropy
+      level: extended
+      type: long
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      default_field: false
+    - name: indicator.pe.resources.filetype
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type of the resources section.
+      example: Data
+      default_field: false
+    - name: indicator.pe.resources.language
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      default_field: false
+    - name: indicator.pe.resources.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      default_field: false
+    - name: indicator.pe.resources.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      default_field: false
+    - name: indicator.pe.rich_header.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      default_field: false
+    - name: indicator.pe.sections
+      level: extended
+      type: nested
+      description: Data about sections of compiled binary PE
+      default_field: false
+    - name: indicator.pe.sections.chi2
+      level: extended
+      type: long
+      description: Chi-square probability distribution.
+      example: 3027194
+      default_field: false
+    - name: indicator.pe.sections.entropy
+      level: extended
+      type: float
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      default_field: false
+    - name: indicator.pe.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section flags of the file.
+      example: rx
+      default_field: false
+    - name: indicator.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Section names of the file.
+      example: .text, .data
+      default_field: false
+    - name: indicator.pe.sections.raw_size
+      level: extended
+      type: long
+      format: bytes
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      default_field: false
+    - name: indicator.pe.sections.virtual_address
+      level: extended
+      type: long
+      format: bytes
+      description: Virtual address available to the file.
+      example: 8192
+      default_field: false
+    - name: indicator.port
+      level: extended
+      type: long
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
+      default_field: false
+    - name: indicator.provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies the name of the intelligence provider.
+      example: VirusTotal
+      default_field: false
+    - name: indicator.registry.data.bytes
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      default_field: false
+    - name: indicator.registry.data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: indicator.registry.data.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      default_field: false
+    - name: indicator.registry.hive
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Abbreviated name for the hive.
+      example: HKLM
+      default_field: false
+    - name: indicator.registry.key
+      level: core
+      type: wildcard
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      default_field: false
+    - name: indicator.registry.path
+      level: core
+      type: wildcard
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
+      default_field: false
+    - name: indicator.registry.value
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the value written.
+      example: Debugger
+      default_field: false
+    - name: indicator.scanner_stats
+      level: extended
+      type: long
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
+      default_field: false
+    - name: indicator.sightings
+      level: extended
+      type: long
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
+      default_field: false
+    - name: indicator.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
+        Expected values\n  * autonomous-system\n  * artifact\n  * directory\n  * domain-name\n\
+        \  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n  * mac-addr\n  *\
+        \ mutex\n  * process\n  * software\n  * url\n  * user-account\n  * windows-registry-key\n\
+        \  * x-509-certificate"
+      example: ipv4-addr
+      default_field: false
     - name: tactic.id
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index e21b1815e0..b9b7569221 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -706,6 +706,118 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 1.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.9.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating
+1.9.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset
+1.9.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+1.9.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name
+1.9.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+1.9.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+1.9.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+1.9.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.9.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+1.9.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.9.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.9.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.9.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+1.9.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.9.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.9.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.9.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+1.9.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.9.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+1.9.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+1.9.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks.
+1.9.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks.
+1.9.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.9.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.9.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+1.9.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+1.9.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
+1.9.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match
+1.9.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match
+1.9.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match
+1.9.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module
+1.9.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information
+1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+1.9.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+1.9.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+1.9.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider.
+1.9.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.9.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.9.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.9.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+1.9.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+1.9.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+1.9.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
 1.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
 1.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
 1.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index a166c0bc37..f51f63864f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -8975,6 +8975,1356 @@ threat.framework:
   normalize: []
   short: Threat classification framework.
   type: keyword
+threat.indicator.as.number:
+  dashed_name: threat-indicator-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: threat.indicator.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+threat.indicator.as.organization.name:
+  dashed_name: threat-indicator-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: threat.indicator.as.organization.name
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.as.organization.name.text
+    name: text
+    norms: false
+    type: text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: wildcard
+threat.indicator.confidence:
+  dashed_name: threat-indicator-confidence
+  description: "Identifies the confidence rating assigned by the provider using STIX\
+    \ confidence scales.\nExpected values:\n  * Not Specified, None, Low, Medium,\
+    \ High\n  * 0-10\n  * Admirality Scale (1-6)\n  * DNI Scale (5-95)\n  * WEP Scale\
+    \ (Impossible - Certain)"
+  example: High
+  flat_name: threat.indicator.confidence
+  ignore_above: 1024
+  level: extended
+  name: indicator.confidence
+  normalize: []
+  short: Indicator confidence rating
+  type: keyword
+threat.indicator.dataset:
+  dashed_name: threat-indicator-dataset
+  description: Identifies the name of specific dataset from the intelligence source.
+  example: threatintel.abusemalware
+  flat_name: threat.indicator.dataset
+  ignore_above: 1024
+  level: extended
+  name: indicator.dataset
+  normalize: []
+  short: Indicator dataset
+  type: keyword
+threat.indicator.description:
+  dashed_name: threat-indicator-description
+  description: Describes the type of action conducted by the threat.
+  example: IP x.x.x.x was observed delivering the Angler EK.
+  flat_name: threat.indicator.description
+  level: extended
+  name: indicator.description
+  normalize: []
+  short: Indicator description
+  type: wildcard
+threat.indicator.domain:
+  dashed_name: threat-indicator-domain
+  description: Identifies a threat indicator as a domain (irrespective of direction).
+  example: example.com
+  flat_name: threat.indicator.domain
+  ignore_above: 1024
+  level: extended
+  name: indicator.domain
+  normalize: []
+  short: Indicator domain name
+  type: keyword
+threat.indicator.email.address:
+  dashed_name: threat-indicator-email-address
+  description: Identifies a threat indicator as an email address (irrespective of
+    direction).
+  example: phish@example.com
+  flat_name: threat.indicator.email.address
+  ignore_above: 1024
+  level: extended
+  name: indicator.email.address
+  normalize: []
+  short: Indicator email address
+  type: keyword
+threat.indicator.file.accessed:
+  dashed_name: threat-indicator-file-accessed
+  description: 'Last time the file was accessed.
+
+    Note that not all filesystems keep track of access time.'
+  flat_name: threat.indicator.file.accessed
+  level: extended
+  name: accessed
+  normalize: []
+  original_fieldset: file
+  short: Last time the file was accessed.
+  type: date
+threat.indicator.file.attributes:
+  dashed_name: threat-indicator-file-attributes
+  description: 'Array of file attributes.
+
+    Attributes names will vary by platform. Here''s a non-exhaustive list of values
+    that are expected in this field: archive, compressed, directory, encrypted, execute,
+    hidden, read, readonly, system, write.'
+  example: '["readonly", "system"]'
+  flat_name: threat.indicator.file.attributes
+  ignore_above: 1024
+  level: extended
+  name: attributes
+  normalize:
+  - array
+  original_fieldset: file
+  short: Array of file attributes.
+  type: keyword
+threat.indicator.file.code_signature.exists:
+  dashed_name: threat-indicator-file-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: threat.indicator.file.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+threat.indicator.file.code_signature.signing_id:
+  dashed_name: threat-indicator-file-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: threat.indicator.file.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+threat.indicator.file.code_signature.status:
+  dashed_name: threat-indicator-file-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: threat.indicator.file.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+threat.indicator.file.code_signature.subject_name:
+  dashed_name: threat-indicator-file-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: threat.indicator.file.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+threat.indicator.file.code_signature.team_id:
+  dashed_name: threat-indicator-file-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: threat.indicator.file.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+threat.indicator.file.code_signature.trusted:
+  dashed_name: threat-indicator-file-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: threat.indicator.file.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+threat.indicator.file.code_signature.valid:
+  dashed_name: threat-indicator-file-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: threat.indicator.file.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+threat.indicator.file.created:
+  dashed_name: threat-indicator-file-created
+  description: 'File creation time.
+
+    Note that not all filesystems store the creation time.'
+  flat_name: threat.indicator.file.created
+  level: extended
+  name: created
+  normalize: []
+  original_fieldset: file
+  short: File creation time.
+  type: date
+threat.indicator.file.ctime:
+  dashed_name: threat-indicator-file-ctime
+  description: 'Last time the file attributes or metadata changed.
+
+    Note that changes to the file content will update `mtime`. This implies `ctime`
+    will be adjusted at the same time, since `mtime` is an attribute of the file.'
+  flat_name: threat.indicator.file.ctime
+  level: extended
+  name: ctime
+  normalize: []
+  original_fieldset: file
+  short: Last time the file attributes or metadata changed.
+  type: date
+threat.indicator.file.device:
+  dashed_name: threat-indicator-file-device
+  description: Device that is the source of the file.
+  example: sda
+  flat_name: threat.indicator.file.device
+  ignore_above: 1024
+  level: extended
+  name: device
+  normalize: []
+  original_fieldset: file
+  short: Device that is the source of the file.
+  type: keyword
+threat.indicator.file.directory:
+  dashed_name: threat-indicator-file-directory
+  description: Directory where the file is located. It should include the drive letter,
+    when appropriate.
+  example: /home/alice
+  flat_name: threat.indicator.file.directory
+  level: extended
+  name: directory
+  normalize: []
+  original_fieldset: file
+  short: Directory where the file is located.
+  type: wildcard
+threat.indicator.file.drive_letter:
+  dashed_name: threat-indicator-file-drive-letter
+  description: 'Drive letter where the file is located. This field is only relevant
+    on Windows.
+
+    The value should be uppercase, and not include the colon.'
+  example: C
+  flat_name: threat.indicator.file.drive_letter
+  ignore_above: 1
+  level: extended
+  name: drive_letter
+  normalize: []
+  original_fieldset: file
+  short: Drive letter where the file is located.
+  type: keyword
+threat.indicator.file.extension:
+  dashed_name: threat-indicator-file-extension
+  description: 'File extension, excluding the leading dot.
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
+  example: png
+  flat_name: threat.indicator.file.extension
+  ignore_above: 1024
+  level: extended
+  name: extension
+  normalize: []
+  original_fieldset: file
+  short: File extension, excluding the leading dot.
+  type: keyword
+threat.indicator.file.gid:
+  dashed_name: threat-indicator-file-gid
+  description: Primary group ID (GID) of the file.
+  example: '1001'
+  flat_name: threat.indicator.file.gid
+  ignore_above: 1024
+  level: extended
+  name: gid
+  normalize: []
+  original_fieldset: file
+  short: Primary group ID (GID) of the file.
+  type: keyword
+threat.indicator.file.group:
+  dashed_name: threat-indicator-file-group
+  description: Primary group name of the file.
+  example: alice
+  flat_name: threat.indicator.file.group
+  ignore_above: 1024
+  level: extended
+  name: group
+  normalize: []
+  original_fieldset: file
+  short: Primary group name of the file.
+  type: keyword
+threat.indicator.file.inode:
+  dashed_name: threat-indicator-file-inode
+  description: Inode representing the file in the filesystem.
+  example: '256383'
+  flat_name: threat.indicator.file.inode
+  ignore_above: 1024
+  level: extended
+  name: inode
+  normalize: []
+  original_fieldset: file
+  short: Inode representing the file in the filesystem.
+  type: keyword
+threat.indicator.file.mime_type:
+  dashed_name: threat-indicator-file-mime-type
+  description: MIME type should identify the format of the file or stream of bytes
+    using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official
+    types], where possible. When more than one type is applicable, the most specific
+    type should be used.
+  flat_name: threat.indicator.file.mime_type
+  ignore_above: 1024
+  level: extended
+  name: mime_type
+  normalize: []
+  original_fieldset: file
+  short: Media type of file, document, or arrangement of bytes.
+  type: keyword
+threat.indicator.file.mode:
+  dashed_name: threat-indicator-file-mode
+  description: Mode of the file in octal representation.
+  example: '0640'
+  flat_name: threat.indicator.file.mode
+  ignore_above: 1024
+  level: extended
+  name: mode
+  normalize: []
+  original_fieldset: file
+  short: Mode of the file in octal representation.
+  type: keyword
+threat.indicator.file.mtime:
+  dashed_name: threat-indicator-file-mtime
+  description: Last time the file content was modified.
+  flat_name: threat.indicator.file.mtime
+  level: extended
+  name: mtime
+  normalize: []
+  original_fieldset: file
+  short: Last time the file content was modified.
+  type: date
+threat.indicator.file.name:
+  dashed_name: threat-indicator-file-name
+  description: Name of the file including the extension, without the directory.
+  example: example.png
+  flat_name: threat.indicator.file.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: file
+  short: Name of the file including the extension, without the directory.
+  type: keyword
+threat.indicator.file.owner:
+  dashed_name: threat-indicator-file-owner
+  description: File owner's username.
+  example: alice
+  flat_name: threat.indicator.file.owner
+  ignore_above: 1024
+  level: extended
+  name: owner
+  normalize: []
+  original_fieldset: file
+  short: File owner's username.
+  type: keyword
+threat.indicator.file.path:
+  dashed_name: threat-indicator-file-path
+  description: Full path to the file, including the file name. It should include the
+    drive letter, when appropriate.
+  example: /home/alice/example.png
+  flat_name: threat.indicator.file.path
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.file.path.text
+    name: text
+    norms: false
+    type: text
+  name: path
+  normalize: []
+  original_fieldset: file
+  short: Full path to the file, including the file name.
+  type: wildcard
+threat.indicator.file.size:
+  dashed_name: threat-indicator-file-size
+  description: 'File size in bytes.
+
+    Only relevant when `file.type` is "file".'
+  example: 16384
+  flat_name: threat.indicator.file.size
+  level: extended
+  name: size
+  normalize: []
+  original_fieldset: file
+  short: File size in bytes.
+  type: long
+threat.indicator.file.target_path:
+  dashed_name: threat-indicator-file-target-path
+  description: Target path for symlinks.
+  flat_name: threat.indicator.file.target_path
+  level: extended
+  multi_fields:
+  - flat_name: threat.indicator.file.target_path.text
+    name: text
+    norms: false
+    type: text
+  name: target_path
+  normalize: []
+  original_fieldset: file
+  short: Target path for symlinks.
+  type: wildcard
+threat.indicator.file.type:
+  dashed_name: threat-indicator-file-type
+  description: File type (file, dir, or symlink).
+  example: file
+  flat_name: threat.indicator.file.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: file
+  short: File type (file, dir, or symlink).
+  type: keyword
+threat.indicator.file.uid:
+  dashed_name: threat-indicator-file-uid
+  description: The user ID (UID) or security identifier (SID) of the file owner.
+  example: '1001'
+  flat_name: threat.indicator.file.uid
+  ignore_above: 1024
+  level: extended
+  name: uid
+  normalize: []
+  original_fieldset: file
+  short: The user ID (UID) or security identifier (SID) of the file owner.
+  type: keyword
+threat.indicator.first_seen:
+  dashed_name: threat-indicator-first-seen
+  description: The date and time when intelligence source first reported sighting
+    this indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.first_seen
+  level: extended
+  name: indicator.first_seen
+  normalize: []
+  short: Date/time indicator was first reported.
+  type: date
+threat.indicator.geo.city_name:
+  dashed_name: threat-indicator-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: threat.indicator.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+threat.indicator.geo.continent_code:
+  dashed_name: threat-indicator-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: threat.indicator.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+threat.indicator.geo.continent_name:
+  dashed_name: threat-indicator-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: threat.indicator.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+threat.indicator.geo.country_iso_code:
+  dashed_name: threat-indicator-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: threat.indicator.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+threat.indicator.geo.country_name:
+  dashed_name: threat-indicator-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: threat.indicator.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+threat.indicator.geo.location:
+  dashed_name: threat-indicator-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: threat.indicator.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+threat.indicator.geo.name:
+  dashed_name: threat-indicator-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: threat.indicator.geo.name
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: wildcard
+threat.indicator.geo.postal_code:
+  dashed_name: threat-indicator-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: threat.indicator.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+threat.indicator.geo.region_iso_code:
+  dashed_name: threat-indicator-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: threat.indicator.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+threat.indicator.geo.region_name:
+  dashed_name: threat-indicator-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: threat.indicator.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+threat.indicator.geo.timezone:
+  dashed_name: threat-indicator-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: threat.indicator.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+threat.indicator.hash.md5:
+  dashed_name: threat-indicator-hash-md5
+  description: MD5 hash.
+  flat_name: threat.indicator.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+threat.indicator.hash.sha1:
+  dashed_name: threat-indicator-hash-sha1
+  description: SHA1 hash.
+  flat_name: threat.indicator.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+threat.indicator.hash.sha256:
+  dashed_name: threat-indicator-hash-sha256
+  description: SHA256 hash.
+  flat_name: threat.indicator.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+threat.indicator.hash.sha512:
+  dashed_name: threat-indicator-hash-sha512
+  description: SHA512 hash.
+  flat_name: threat.indicator.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+threat.indicator.hash.ssdeep:
+  dashed_name: threat-indicator-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: threat.indicator.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+threat.indicator.ip:
+  dashed_name: threat-indicator-ip
+  description: Identifies a threat indicator as an IP address (irrespective of direction).
+  example: 1.2.3.4
+  flat_name: threat.indicator.ip
+  level: extended
+  name: indicator.ip
+  normalize: []
+  short: Indicator IP address
+  type: ip
+threat.indicator.last_seen:
+  dashed_name: threat-indicator-last-seen
+  description: The date and time when intelligence source last reported sighting this
+    indicator.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.last_seen
+  level: extended
+  name: indicator.last_seen
+  normalize: []
+  short: Date/time indicator was last reported.
+  type: date
+threat.indicator.marking.tlp:
+  dashed_name: threat-indicator-marking-tlp
+  description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \
+    \ * White\n  * Green\n  * Amber\n  * Red"
+  example: White
+  flat_name: threat.indicator.marking.tlp
+  ignore_above: 1024
+  level: extended
+  name: indicator.marking.tlp
+  normalize: []
+  short: Indicator TLP marking
+  type: keyword
+threat.indicator.matched.atomic:
+  dashed_name: threat-indicator-matched-atomic
+  description: Identifies the atomic indicator that matched a local environment endpoint
+    or network event.
+  example: example.com
+  flat_name: threat.indicator.matched.atomic
+  ignore_above: 1024
+  level: extended
+  name: indicator.matched.atomic
+  normalize: []
+  short: Indicator atomic match
+  type: keyword
+threat.indicator.matched.field:
+  dashed_name: threat-indicator-matched-field
+  description: Identifies the field of the atomic indicator that matched a local environment
+    endpoint or network event.
+  example: file.hash.sha256
+  flat_name: threat.indicator.matched.field
+  ignore_above: 1024
+  level: extended
+  name: indicator.matched.field
+  normalize: []
+  short: Indicator field match
+  type: keyword
+threat.indicator.matched.type:
+  dashed_name: threat-indicator-matched-type
+  description: Identifies the type of the atomic indicator that matched a local environment
+    endpoint or network event.
+  example: domain-name
+  flat_name: threat.indicator.matched.type
+  ignore_above: 1024
+  level: extended
+  name: indicator.matched.type
+  normalize: []
+  short: Indicator type match
+  type: keyword
+threat.indicator.module:
+  dashed_name: threat-indicator-module
+  description: Identifies the name of specific module this data is coming from.
+  example: threatintel
+  flat_name: threat.indicator.module
+  ignore_above: 1024
+  level: extended
+  name: indicator.module
+  normalize: []
+  short: Indicator module
+  type: keyword
+threat.indicator.pe.architecture:
+  dashed_name: threat-indicator-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: threat.indicator.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+threat.indicator.pe.authentihash:
+  dashed_name: threat-indicator-pe-authentihash
+  description: Authentihash of the PE file.
+  example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+  flat_name: threat.indicator.pe.authentihash
+  ignore_above: 1024
+  level: extended
+  name: authentihash
+  normalize: []
+  original_fieldset: pe
+  short: Authentihash of the PE file.
+  type: keyword
+threat.indicator.pe.company:
+  dashed_name: threat-indicator-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: threat.indicator.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+threat.indicator.pe.compile_timestamp:
+  dashed_name: threat-indicator-pe-compile-timestamp
+  description: Compile timestamp of the PE file.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.pe.compile_timestamp
+  level: extended
+  name: compile_timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Compile timestamp of the PE file.
+  type: date
+threat.indicator.pe.compiler.name:
+  dashed_name: threat-indicator-pe-compiler-name
+  description: Name of the compiler
+  example: Clang
+  flat_name: threat.indicator.pe.compiler.name
+  ignore_above: 1024
+  level: extended
+  name: compiler.name
+  normalize: []
+  original_fieldset: pe
+  short: Name of the compiler
+  type: keyword
+threat.indicator.pe.compiler.version:
+  dashed_name: threat-indicator-pe-compiler-version
+  description: Version of the compiler.
+  example: 11.0.0
+  flat_name: threat.indicator.pe.compiler.version
+  ignore_above: 1024
+  level: extended
+  name: compiler.version
+  normalize: []
+  original_fieldset: pe
+  short: Version of the compiler.
+  type: keyword
+threat.indicator.pe.creation_date:
+  dashed_name: threat-indicator-pe-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.pe.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: pe
+  short: Build or compile date.
+  type: date
+threat.indicator.pe.debug:
+  dashed_name: threat-indicator-pe-debug
+  description: 'An array containing an object for each debug entry, if present.
+
+    The expected fields for this nested object fall under the `debug.` prefix.'
+  flat_name: threat.indicator.pe.debug
+  level: extended
+  name: debug
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Debug information
+  type: nested
+threat.indicator.pe.debug.offset:
+  dashed_name: threat-indicator-pe-debug-offset
+  description: Debug offset information.
+  example: 1296336
+  flat_name: threat.indicator.pe.debug.offset
+  ignore_above: 1024
+  level: extended
+  name: debug.offset
+  normalize: []
+  original_fieldset: pe
+  short: Debug offset information.
+  type: keyword
+threat.indicator.pe.debug.size:
+  dashed_name: threat-indicator-pe-debug-size
+  description: Size of the debug information.
+  example: 816
+  flat_name: threat.indicator.pe.debug.size
+  format: bytes
+  level: extended
+  name: debug.size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the debug information.
+  type: long
+threat.indicator.pe.debug.timestamp:
+  dashed_name: threat-indicator-pe-debug-timestamp
+  description: Timestamp of the debug information.
+  example: '2020-11-05T17:25:47.000Z'
+  flat_name: threat.indicator.pe.debug.timestamp
+  level: extended
+  name: debug.timestamp
+  normalize: []
+  original_fieldset: pe
+  short: Timestamp of the debug information.
+  type: date
+threat.indicator.pe.debug.type:
+  dashed_name: threat-indicator-pe-debug-type
+  description: Information type generated by the debug options.
+  example: IMAGE_DEBUG_TYPE_POGO
+  flat_name: threat.indicator.pe.debug.type
+  ignore_above: 1024
+  level: extended
+  name: debug.type
+  normalize: []
+  original_fieldset: pe
+  short: Information type generated by the debug options.
+  type: keyword
+threat.indicator.pe.description:
+  dashed_name: threat-indicator-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: threat.indicator.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+threat.indicator.pe.entry_point:
+  dashed_name: threat-indicator-pe-entry-point
+  description: Relative byte offset to the base of the PE file.
+  example: 25856
+  flat_name: threat.indicator.pe.entry_point
+  ignore_above: 1024
+  level: extended
+  name: entry_point
+  normalize: []
+  original_fieldset: pe
+  short: Relative byte offset to the base of the PE file.
+  type: keyword
+threat.indicator.pe.exports:
+  dashed_name: threat-indicator-pe-exports
+  description: List of symbols exported by PE
+  example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+  flat_name: threat.indicator.pe.exports
+  ignore_above: 1024
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of symbols exported by PE
+  type: keyword
+threat.indicator.pe.file_version:
+  dashed_name: threat-indicator-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: threat.indicator.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+threat.indicator.pe.icon.hash.dhash:
+  dashed_name: threat-indicator-pe-icon-hash-dhash
+  description: Difference Hash (dhash) to find files with a visually similar icon
+    or thumbnail.
+  example: b806e17c8e330d82
+  flat_name: threat.indicator.pe.icon.hash.dhash
+  ignore_above: 1024
+  level: extended
+  name: icon.hash.dhash
+  normalize: []
+  original_fieldset: pe
+  short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+  type: keyword
+threat.indicator.pe.imphash:
+  dashed_name: threat-indicator-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: threat.indicator.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+threat.indicator.pe.imports:
+  dashed_name: threat-indicator-pe-imports
+  description: List of all imported functions
+  example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+    }'
+  flat_name: threat.indicator.pe.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: pe
+  short: List of all imported functions
+  type: flattened
+threat.indicator.pe.machine_type:
+  dashed_name: threat-indicator-pe-machine-type
+  description: Machine type of the PE file.
+  example: Intel 386 or later, and compatibles
+  flat_name: threat.indicator.pe.machine_type
+  ignore_above: 1024
+  level: extended
+  name: machine_type
+  normalize: []
+  original_fieldset: pe
+  short: Machine type of the PE file.
+  type: keyword
+threat.indicator.pe.original_file_name:
+  dashed_name: threat-indicator-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: threat.indicator.pe.original_file_name
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: wildcard
+threat.indicator.pe.packers:
+  dashed_name: threat-indicator-pe-packers
+  description: List of packers and tools used.
+  example: '["ASPack v2.12", ".NET executable"]'
+  flat_name: threat.indicator.pe.packers
+  ignore_above: 1024
+  level: extended
+  name: packers
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of packers and tools used.
+  type: keyword
+threat.indicator.pe.product:
+  dashed_name: threat-indicator-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: "Microsoft\xAE Windows\xAE Operating System"
+  flat_name: threat.indicator.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+threat.indicator.pe.resources:
+  dashed_name: threat-indicator-pe-resources
+  description: 'An array containing an object for each PE resource, if present.
+
+    The expected fields for this nested object fall under the `resources.` prefix.'
+  flat_name: threat.indicator.pe.resources
+  level: extended
+  name: resources
+  normalize:
+  - array
+  original_fieldset: pe
+  short: PE resource information
+  type: nested
+threat.indicator.pe.resources.chi2:
+  dashed_name: threat-indicator-pe-resources-chi2
+  description: Chi-square probability distribution.
+  example: -1
+  flat_name: threat.indicator.pe.resources.chi2
+  level: extended
+  name: resources.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+threat.indicator.pe.resources.entropy:
+  dashed_name: threat-indicator-pe-resources-entropy
+  description: Measurement of entropy randomness in the resources section.
+  example: 0, 1
+  flat_name: threat.indicator.pe.resources.entropy
+  level: extended
+  name: resources.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the resources section.
+  type: long
+threat.indicator.pe.resources.filetype:
+  dashed_name: threat-indicator-pe-resources-filetype
+  description: File type of the resources section.
+  example: Data
+  flat_name: threat.indicator.pe.resources.filetype
+  ignore_above: 1024
+  level: extended
+  name: resources.filetype
+  normalize: []
+  original_fieldset: pe
+  short: File type of the resources section.
+  type: keyword
+threat.indicator.pe.resources.language:
+  dashed_name: threat-indicator-pe-resources-language
+  description: Language identification.
+  example: CHINESE SIMPLIFIED
+  flat_name: threat.indicator.pe.resources.language
+  ignore_above: 1024
+  level: extended
+  name: resources.language
+  normalize: []
+  original_fieldset: pe
+  short: Language identification.
+  type: keyword
+threat.indicator.pe.resources.sha256:
+  dashed_name: threat-indicator-pe-resources-sha256
+  description: SHA256 hash of resources section.
+  example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  flat_name: threat.indicator.pe.resources.sha256
+  ignore_above: 1024
+  level: extended
+  name: resources.sha256
+  normalize: []
+  original_fieldset: pe
+  short: SHA256 hash of resources section.
+  type: keyword
+threat.indicator.pe.resources.type:
+  dashed_name: threat-indicator-pe-resources-type
+  description: Digest of resource types.
+  example: '["RT_VERSION", "RT_MANIFEST"]'
+  flat_name: threat.indicator.pe.resources.type
+  ignore_above: 1024
+  level: extended
+  name: resources.type
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of resource types.
+  type: keyword
+threat.indicator.pe.rich_header.hash.md5:
+  dashed_name: threat-indicator-pe-rich-header-hash-md5
+  description: MD5 hash of the header for the PE file.
+  example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+  flat_name: threat.indicator.pe.rich_header.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: rich_header.hash.md5
+  normalize: []
+  original_fieldset: pe
+  short: MD5 hash of the header for the PE file.
+  type: keyword
+threat.indicator.pe.sections:
+  dashed_name: threat-indicator-pe-sections
+  description: Data about sections of compiled binary PE
+  flat_name: threat.indicator.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Data about sections of the compiled binary PE
+  type: nested
+threat.indicator.pe.sections.chi2:
+  dashed_name: threat-indicator-pe-sections-chi2
+  description: Chi-square probability distribution.
+  example: 3027194
+  flat_name: threat.indicator.pe.sections.chi2
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: pe
+  short: Chi-square probability distribution.
+  type: long
+threat.indicator.pe.sections.entropy:
+  dashed_name: threat-indicator-pe-sections-entropy
+  description: Measurement of entropy randomness in the file.
+  example: 6.24
+  flat_name: threat.indicator.pe.sections.entropy
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Measurement of entropy randomness in the file.
+  type: float
+threat.indicator.pe.sections.flags:
+  dashed_name: threat-indicator-pe-sections-flags
+  description: Section flags of the file.
+  example: rx
+  flat_name: threat.indicator.pe.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: pe
+  short: Section flags of the file.
+  type: keyword
+threat.indicator.pe.sections.name:
+  dashed_name: threat-indicator-pe-sections-name
+  description: Section names of the file.
+  example: .text, .data
+  flat_name: threat.indicator.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: Section names of the file.
+  type: keyword
+threat.indicator.pe.sections.raw_size:
+  dashed_name: threat-indicator-pe-sections-raw-size
+  description: Size of the section or the dize of the initialized data on disk.
+  example: 198144
+  flat_name: threat.indicator.pe.sections.raw_size
+  format: bytes
+  level: extended
+  name: sections.raw_size
+  normalize: []
+  original_fieldset: pe
+  short: Size of the section or the dize of the initialized data on disk.
+  type: long
+threat.indicator.pe.sections.virtual_address:
+  dashed_name: threat-indicator-pe-sections-virtual-address
+  description: Virtual address available to the file.
+  example: 8192
+  flat_name: threat.indicator.pe.sections.virtual_address
+  format: bytes
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: pe
+  short: Virtual address available to the file.
+  type: long
+threat.indicator.port:
+  dashed_name: threat-indicator-port
+  description: Identifies a threat indicator as a port number (irrespective of direction).
+  example: 443
+  flat_name: threat.indicator.port
+  level: extended
+  name: indicator.port
+  normalize: []
+  short: Indicator port
+  type: long
+threat.indicator.provider:
+  dashed_name: threat-indicator-provider
+  description: Identifies the name of the intelligence provider.
+  example: VirusTotal
+  flat_name: threat.indicator.provider
+  ignore_above: 1024
+  level: extended
+  name: indicator.provider
+  normalize: []
+  short: Identifies the name of the intelligence provider.
+  type: keyword
+threat.indicator.registry.data.bytes:
+  dashed_name: threat-indicator-registry-data-bytes
+  description: 'Original bytes written with base64 encoding.
+
+    For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+    corresponds to the data pointed by `lp_data`. This is optional but provides better
+    recoverability and should be populated for REG_BINARY encoded values.'
+  example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+  flat_name: threat.indicator.registry.data.bytes
+  ignore_above: 1024
+  level: extended
+  name: data.bytes
+  normalize: []
+  original_fieldset: registry
+  short: Original bytes written with base64 encoding.
+  type: keyword
+threat.indicator.registry.data.strings:
+  dashed_name: threat-indicator-registry-data-strings
+  description: 'Content when writing string types.
+
+    Populated as an array when writing string data to the registry. For single string
+    registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string.
+    For sequences of string with REG_MULTI_SZ, this array will be variable length.
+    For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with
+    the decimal representation (e.g `"1"`).'
+  example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+  flat_name: threat.indicator.registry.data.strings
+  level: core
+  name: data.strings
+  normalize:
+  - array
+  original_fieldset: registry
+  short: List of strings representing what was written to the registry.
+  type: wildcard
+threat.indicator.registry.data.type:
+  dashed_name: threat-indicator-registry-data-type
+  description: Standard registry type for encoding contents
+  example: REG_SZ
+  flat_name: threat.indicator.registry.data.type
+  ignore_above: 1024
+  level: core
+  name: data.type
+  normalize: []
+  original_fieldset: registry
+  short: Standard registry type for encoding contents
+  type: keyword
+threat.indicator.registry.hive:
+  dashed_name: threat-indicator-registry-hive
+  description: Abbreviated name for the hive.
+  example: HKLM
+  flat_name: threat.indicator.registry.hive
+  ignore_above: 1024
+  level: core
+  name: hive
+  normalize: []
+  original_fieldset: registry
+  short: Abbreviated name for the hive.
+  type: keyword
+threat.indicator.registry.key:
+  dashed_name: threat-indicator-registry-key
+  description: Hive-relative path of keys.
+  example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+  flat_name: threat.indicator.registry.key
+  level: core
+  name: key
+  normalize: []
+  original_fieldset: registry
+  short: Hive-relative path of keys.
+  type: wildcard
+threat.indicator.registry.path:
+  dashed_name: threat-indicator-registry-path
+  description: Full path, including hive, key and value
+  example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+    Options\winword.exe\Debugger
+  flat_name: threat.indicator.registry.path
+  level: core
+  name: path
+  normalize: []
+  original_fieldset: registry
+  short: Full path, including hive, key and value
+  type: wildcard
+threat.indicator.registry.value:
+  dashed_name: threat-indicator-registry-value
+  description: Name of the value written.
+  example: Debugger
+  flat_name: threat.indicator.registry.value
+  ignore_above: 1024
+  level: core
+  name: value
+  normalize: []
+  original_fieldset: registry
+  short: Name of the value written.
+  type: keyword
+threat.indicator.scanner_stats:
+  dashed_name: threat-indicator-scanner-stats
+  description: Count of AV/EDR vendors that successfully detected malicious file or
+    URL.
+  example: 4
+  flat_name: threat.indicator.scanner_stats
+  level: extended
+  name: indicator.scanner_stats
+  normalize: []
+  short: Scanner statistics
+  type: long
+threat.indicator.sightings:
+  dashed_name: threat-indicator-sightings
+  description: Number of times this indicator was observed conducting threat activity.
+  example: 20
+  flat_name: threat.indicator.sightings
+  level: extended
+  name: indicator.sightings
+  normalize: []
+  short: Number of times indicator observed
+  type: long
+threat.indicator.type:
+  dashed_name: threat-indicator-type
+  description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
+    Expected values\n  * autonomous-system\n  * artifact\n  * directory\n  * domain-name\n\
+    \  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n  * mac-addr\n  * mutex\n\
+    \  * process\n  * software\n  * url\n  * user-account\n  * windows-registry-key\n\
+    \  * x-509-certificate"
+  example: ipv4-addr
+  flat_name: threat.indicator.type
+  ignore_above: 1024
+  level: extended
+  name: indicator.type
+  normalize: []
+  short: Type of indicator
+  type: keyword
 threat.tactic.id:
   dashed_name: threat-tactic-id
   description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index cd00f781a0..46621ccf87 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -149,6 +149,9 @@ as:
     - as: as
       at: source
       full: source.as
+    - as: as
+      at: threat.indicator
+      full: threat.indicator.as
     top_level: false
   short: Fields describing an Autonomous System (Internet routing prefix).
   title: Autonomous System
@@ -4599,6 +4602,12 @@ file:
   - file.pe
   - file.x509
   prefix: file.
+  reusable:
+    expected:
+    - as: file
+      at: threat.indicator
+      full: threat.indicator.file
+    top_level: true
   reused_here:
   - full: file.code_signature
     schema_name: code_signature
@@ -4773,6 +4782,9 @@ geo:
     - as: geo
       at: source
       full: source.geo
+    - as: geo
+      at: threat.indicator
+      full: threat.indicator.geo
     top_level: false
   short: Fields describing a location.
   title: Geo
@@ -4901,6 +4913,9 @@ hash:
     - as: hash
       at: dll
       full: dll.hash
+    - as: hash
+      at: threat.indicator
+      full: threat.indicator.hash
     top_level: false
   short: Hashes, usually file hashes.
   title: Hash
@@ -7499,6 +7514,9 @@ pe:
     - as: pe
       at: process
       full: process.pe
+    - as: pe
+      at: threat.indicator
+      full: threat.indicator.pe
     top_level: false
   short: These fields contain Windows Portable Executable (PE) metadata.
   title: PE Header
@@ -9304,6 +9322,12 @@ registry:
   group: 2
   name: registry
   prefix: registry.
+  reusable:
+    expected:
+    - as: registry
+      at: threat.indicator
+      full: threat.indicator.registry
+    top_level: true
   short: Fields related to Windows Registry operations.
   title: Registry
   type: group
@@ -10629,137 +10653,1516 @@ threat:
       normalize: []
       short: Threat classification framework.
       type: keyword
-    threat.tactic.id:
-      dashed_name: threat-tactic-id
-      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
-      example: TA0002
-      flat_name: threat.tactic.id
+    threat.indicator.as.number:
+      dashed_name: threat-indicator-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: threat.indicator.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    threat.indicator.as.organization.name:
+      dashed_name: threat-indicator-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: threat.indicator.as.organization.name
+      level: extended
+      multi_fields:
+      - flat_name: threat.indicator.as.organization.name.text
+        name: text
+        norms: false
+        type: text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: wildcard
+    threat.indicator.confidence:
+      dashed_name: threat-indicator-confidence
+      description: "Identifies the confidence rating assigned by the provider using\
+        \ STIX confidence scales.\nExpected values:\n  * Not Specified, None, Low,\
+        \ Medium, High\n  * 0-10\n  * Admirality Scale (1-6)\n  * DNI Scale (5-95)\n\
+        \  * WEP Scale (Impossible - Certain)"
+      example: High
+      flat_name: threat.indicator.confidence
       ignore_above: 1024
       level: extended
-      name: tactic.id
-      normalize:
-      - array
-      short: Threat tactic id.
+      name: indicator.confidence
+      normalize: []
+      short: Indicator confidence rating
       type: keyword
-    threat.tactic.name:
-      dashed_name: threat-tactic-name
-      description: "Name of the type of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
-      example: Execution
-      flat_name: threat.tactic.name
+    threat.indicator.dataset:
+      dashed_name: threat-indicator-dataset
+      description: Identifies the name of specific dataset from the intelligence source.
+      example: threatintel.abusemalware
+      flat_name: threat.indicator.dataset
       ignore_above: 1024
       level: extended
-      name: tactic.name
-      normalize:
-      - array
-      short: Threat tactic.
+      name: indicator.dataset
+      normalize: []
+      short: Indicator dataset
       type: keyword
-    threat.tactic.reference:
-      dashed_name: threat-tactic-reference
-      description: "The reference url of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
-        \ )"
-      example: https://attack.mitre.org/tactics/TA0002/
-      flat_name: threat.tactic.reference
+    threat.indicator.description:
+      dashed_name: threat-indicator-description
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
+      flat_name: threat.indicator.description
+      level: extended
+      name: indicator.description
+      normalize: []
+      short: Indicator description
+      type: wildcard
+    threat.indicator.domain:
+      dashed_name: threat-indicator-domain
+      description: Identifies a threat indicator as a domain (irrespective of direction).
+      example: example.com
+      flat_name: threat.indicator.domain
       ignore_above: 1024
       level: extended
-      name: tactic.reference
-      normalize:
-      - array
-      short: Threat tactic URL reference.
+      name: indicator.domain
+      normalize: []
+      short: Indicator domain name
       type: keyword
-    threat.technique.id:
-      dashed_name: threat-technique-id
-      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
-      example: T1059
-      flat_name: threat.technique.id
+    threat.indicator.email.address:
+      dashed_name: threat-indicator-email-address
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
+      flat_name: threat.indicator.email.address
       ignore_above: 1024
       level: extended
-      name: technique.id
-      normalize:
-      - array
-      short: Threat technique id.
+      name: indicator.email.address
+      normalize: []
+      short: Indicator email address
       type: keyword
-    threat.technique.name:
-      dashed_name: threat-technique-name
-      description: "The name of technique used by this threat. You can use a MITRE\
-        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
-      example: Command and Scripting Interpreter
-      flat_name: threat.technique.name
+    threat.indicator.file.accessed:
+      dashed_name: threat-indicator-file-accessed
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
+      flat_name: threat.indicator.file.accessed
+      level: extended
+      name: accessed
+      normalize: []
+      original_fieldset: file
+      short: Last time the file was accessed.
+      type: date
+    threat.indicator.file.attributes:
+      dashed_name: threat-indicator-file-attributes
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
+      flat_name: threat.indicator.file.attributes
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.technique.name.text
-        name: text
-        norms: false
-        type: text
-      name: technique.name
+      name: attributes
       normalize:
       - array
-      short: Threat technique name.
+      original_fieldset: file
+      short: Array of file attributes.
       type: keyword
-    threat.technique.reference:
-      dashed_name: threat-technique-reference
-      description: "The reference url of technique used by this threat. You can use\
-        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
-      example: https://attack.mitre.org/techniques/T1059/
-      flat_name: threat.technique.reference
+    threat.indicator.file.code_signature.exists:
+      dashed_name: threat-indicator-file-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: threat.indicator.file.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    threat.indicator.file.code_signature.signing_id:
+      dashed_name: threat-indicator-file-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: threat.indicator.file.code_signature.signing_id
       ignore_above: 1024
       level: extended
-      name: technique.reference
-      normalize:
-      - array
-      short: Threat technique URL reference.
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
       type: keyword
-    threat.technique.subtechnique.id:
-      dashed_name: threat-technique-subtechnique-id
-      description: "The full id of subtechnique used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
-      example: T1059.001
-      flat_name: threat.technique.subtechnique.id
+    threat.indicator.file.code_signature.status:
+      dashed_name: threat-indicator-file-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: threat.indicator.file.code_signature.status
       ignore_above: 1024
       level: extended
-      name: technique.subtechnique.id
-      normalize:
-      - array
-      short: Threat subtechnique id.
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
       type: keyword
-    threat.technique.subtechnique.name:
-      dashed_name: threat-technique-subtechnique-name
-      description: "The name of subtechnique used by this threat. You can use a MITRE\
-        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
-      example: PowerShell
-      flat_name: threat.technique.subtechnique.name
+    threat.indicator.file.code_signature.subject_name:
+      dashed_name: threat-indicator-file-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: threat.indicator.file.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    threat.indicator.file.code_signature.team_id:
+      dashed_name: threat-indicator-file-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: threat.indicator.file.code_signature.team_id
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: threat.technique.subtechnique.name.text
-        name: text
-        norms: false
-        type: text
-      name: technique.subtechnique.name
-      normalize:
-      - array
-      short: Threat subtechnique name.
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
       type: keyword
-    threat.technique.subtechnique.reference:
-      dashed_name: threat-technique-subtechnique-reference
-      description: "The reference url of subtechnique used by this threat. You can\
-        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
-      example: https://attack.mitre.org/techniques/T1059/001/
-      flat_name: threat.technique.subtechnique.reference
+    threat.indicator.file.code_signature.trusted:
+      dashed_name: threat-indicator-file-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: threat.indicator.file.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    threat.indicator.file.code_signature.valid:
+      dashed_name: threat-indicator-file-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: threat.indicator.file.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    threat.indicator.file.created:
+      dashed_name: threat-indicator-file-created
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
+      flat_name: threat.indicator.file.created
+      level: extended
+      name: created
+      normalize: []
+      original_fieldset: file
+      short: File creation time.
+      type: date
+    threat.indicator.file.ctime:
+      dashed_name: threat-indicator-file-ctime
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      flat_name: threat.indicator.file.ctime
+      level: extended
+      name: ctime
+      normalize: []
+      original_fieldset: file
+      short: Last time the file attributes or metadata changed.
+      type: date
+    threat.indicator.file.device:
+      dashed_name: threat-indicator-file-device
+      description: Device that is the source of the file.
+      example: sda
+      flat_name: threat.indicator.file.device
       ignore_above: 1024
       level: extended
-      name: technique.subtechnique.reference
-      normalize:
-      - array
-      short: Threat subtechnique URL reference.
+      name: device
+      normalize: []
+      original_fieldset: file
+      short: Device that is the source of the file.
       type: keyword
-  group: 2
-  name: threat
-  prefix: threat.
+    threat.indicator.file.directory:
+      dashed_name: threat-indicator-file-directory
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
+      flat_name: threat.indicator.file.directory
+      level: extended
+      name: directory
+      normalize: []
+      original_fieldset: file
+      short: Directory where the file is located.
+      type: wildcard
+    threat.indicator.file.drive_letter:
+      dashed_name: threat-indicator-file-drive-letter
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
+      flat_name: threat.indicator.file.drive_letter
+      ignore_above: 1
+      level: extended
+      name: drive_letter
+      normalize: []
+      original_fieldset: file
+      short: Drive letter where the file is located.
+      type: keyword
+    threat.indicator.file.extension:
+      dashed_name: threat-indicator-file-extension
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+      flat_name: threat.indicator.file.extension
+      ignore_above: 1024
+      level: extended
+      name: extension
+      normalize: []
+      original_fieldset: file
+      short: File extension, excluding the leading dot.
+      type: keyword
+    threat.indicator.file.gid:
+      dashed_name: threat-indicator-file-gid
+      description: Primary group ID (GID) of the file.
+      example: '1001'
+      flat_name: threat.indicator.file.gid
+      ignore_above: 1024
+      level: extended
+      name: gid
+      normalize: []
+      original_fieldset: file
+      short: Primary group ID (GID) of the file.
+      type: keyword
+    threat.indicator.file.group:
+      dashed_name: threat-indicator-file-group
+      description: Primary group name of the file.
+      example: alice
+      flat_name: threat.indicator.file.group
+      ignore_above: 1024
+      level: extended
+      name: group
+      normalize: []
+      original_fieldset: file
+      short: Primary group name of the file.
+      type: keyword
+    threat.indicator.file.inode:
+      dashed_name: threat-indicator-file-inode
+      description: Inode representing the file in the filesystem.
+      example: '256383'
+      flat_name: threat.indicator.file.inode
+      ignore_above: 1024
+      level: extended
+      name: inode
+      normalize: []
+      original_fieldset: file
+      short: Inode representing the file in the filesystem.
+      type: keyword
+    threat.indicator.file.mime_type:
+      dashed_name: threat-indicator-file-mime-type
+      description: MIME type should identify the format of the file or stream of bytes
+        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
+        official types], where possible. When more than one type is applicable, the
+        most specific type should be used.
+      flat_name: threat.indicator.file.mime_type
+      ignore_above: 1024
+      level: extended
+      name: mime_type
+      normalize: []
+      original_fieldset: file
+      short: Media type of file, document, or arrangement of bytes.
+      type: keyword
+    threat.indicator.file.mode:
+      dashed_name: threat-indicator-file-mode
+      description: Mode of the file in octal representation.
+      example: '0640'
+      flat_name: threat.indicator.file.mode
+      ignore_above: 1024
+      level: extended
+      name: mode
+      normalize: []
+      original_fieldset: file
+      short: Mode of the file in octal representation.
+      type: keyword
+    threat.indicator.file.mtime:
+      dashed_name: threat-indicator-file-mtime
+      description: Last time the file content was modified.
+      flat_name: threat.indicator.file.mtime
+      level: extended
+      name: mtime
+      normalize: []
+      original_fieldset: file
+      short: Last time the file content was modified.
+      type: date
+    threat.indicator.file.name:
+      dashed_name: threat-indicator-file-name
+      description: Name of the file including the extension, without the directory.
+      example: example.png
+      flat_name: threat.indicator.file.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: file
+      short: Name of the file including the extension, without the directory.
+      type: keyword
+    threat.indicator.file.owner:
+      dashed_name: threat-indicator-file-owner
+      description: File owner's username.
+      example: alice
+      flat_name: threat.indicator.file.owner
+      ignore_above: 1024
+      level: extended
+      name: owner
+      normalize: []
+      original_fieldset: file
+      short: File owner's username.
+      type: keyword
+    threat.indicator.file.path:
+      dashed_name: threat-indicator-file-path
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
+      flat_name: threat.indicator.file.path
+      level: extended
+      multi_fields:
+      - flat_name: threat.indicator.file.path.text
+        name: text
+        norms: false
+        type: text
+      name: path
+      normalize: []
+      original_fieldset: file
+      short: Full path to the file, including the file name.
+      type: wildcard
+    threat.indicator.file.size:
+      dashed_name: threat-indicator-file-size
+      description: 'File size in bytes.
+
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      flat_name: threat.indicator.file.size
+      level: extended
+      name: size
+      normalize: []
+      original_fieldset: file
+      short: File size in bytes.
+      type: long
+    threat.indicator.file.target_path:
+      dashed_name: threat-indicator-file-target-path
+      description: Target path for symlinks.
+      flat_name: threat.indicator.file.target_path
+      level: extended
+      multi_fields:
+      - flat_name: threat.indicator.file.target_path.text
+        name: text
+        norms: false
+        type: text
+      name: target_path
+      normalize: []
+      original_fieldset: file
+      short: Target path for symlinks.
+      type: wildcard
+    threat.indicator.file.type:
+      dashed_name: threat-indicator-file-type
+      description: File type (file, dir, or symlink).
+      example: file
+      flat_name: threat.indicator.file.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: file
+      short: File type (file, dir, or symlink).
+      type: keyword
+    threat.indicator.file.uid:
+      dashed_name: threat-indicator-file-uid
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      flat_name: threat.indicator.file.uid
+      ignore_above: 1024
+      level: extended
+      name: uid
+      normalize: []
+      original_fieldset: file
+      short: The user ID (UID) or security identifier (SID) of the file owner.
+      type: keyword
+    threat.indicator.first_seen:
+      dashed_name: threat-indicator-first-seen
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.first_seen
+      level: extended
+      name: indicator.first_seen
+      normalize: []
+      short: Date/time indicator was first reported.
+      type: date
+    threat.indicator.geo.city_name:
+      dashed_name: threat-indicator-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: threat.indicator.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    threat.indicator.geo.continent_code:
+      dashed_name: threat-indicator-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: threat.indicator.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    threat.indicator.geo.continent_name:
+      dashed_name: threat-indicator-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: threat.indicator.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    threat.indicator.geo.country_iso_code:
+      dashed_name: threat-indicator-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: threat.indicator.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    threat.indicator.geo.country_name:
+      dashed_name: threat-indicator-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: threat.indicator.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    threat.indicator.geo.location:
+      dashed_name: threat-indicator-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: threat.indicator.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    threat.indicator.geo.name:
+      dashed_name: threat-indicator-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: threat.indicator.geo.name
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: wildcard
+    threat.indicator.geo.postal_code:
+      dashed_name: threat-indicator-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: threat.indicator.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    threat.indicator.geo.region_iso_code:
+      dashed_name: threat-indicator-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: threat.indicator.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    threat.indicator.geo.region_name:
+      dashed_name: threat-indicator-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: threat.indicator.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    threat.indicator.geo.timezone:
+      dashed_name: threat-indicator-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: threat.indicator.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    threat.indicator.hash.md5:
+      dashed_name: threat-indicator-hash-md5
+      description: MD5 hash.
+      flat_name: threat.indicator.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    threat.indicator.hash.sha1:
+      dashed_name: threat-indicator-hash-sha1
+      description: SHA1 hash.
+      flat_name: threat.indicator.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    threat.indicator.hash.sha256:
+      dashed_name: threat-indicator-hash-sha256
+      description: SHA256 hash.
+      flat_name: threat.indicator.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    threat.indicator.hash.sha512:
+      dashed_name: threat-indicator-hash-sha512
+      description: SHA512 hash.
+      flat_name: threat.indicator.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    threat.indicator.hash.ssdeep:
+      dashed_name: threat-indicator-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: threat.indicator.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    threat.indicator.ip:
+      dashed_name: threat-indicator-ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      flat_name: threat.indicator.ip
+      level: extended
+      name: indicator.ip
+      normalize: []
+      short: Indicator IP address
+      type: ip
+    threat.indicator.last_seen:
+      dashed_name: threat-indicator-last-seen
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.last_seen
+      level: extended
+      name: indicator.last_seen
+      normalize: []
+      short: Date/time indicator was last reported.
+      type: date
+    threat.indicator.marking.tlp:
+      dashed_name: threat-indicator-marking-tlp
+      description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\
+        \  * White\n  * Green\n  * Amber\n  * Red"
+      example: White
+      flat_name: threat.indicator.marking.tlp
+      ignore_above: 1024
+      level: extended
+      name: indicator.marking.tlp
+      normalize: []
+      short: Indicator TLP marking
+      type: keyword
+    threat.indicator.matched.atomic:
+      dashed_name: threat-indicator-matched-atomic
+      description: Identifies the atomic indicator that matched a local environment
+        endpoint or network event.
+      example: example.com
+      flat_name: threat.indicator.matched.atomic
+      ignore_above: 1024
+      level: extended
+      name: indicator.matched.atomic
+      normalize: []
+      short: Indicator atomic match
+      type: keyword
+    threat.indicator.matched.field:
+      dashed_name: threat-indicator-matched-field
+      description: Identifies the field of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: file.hash.sha256
+      flat_name: threat.indicator.matched.field
+      ignore_above: 1024
+      level: extended
+      name: indicator.matched.field
+      normalize: []
+      short: Indicator field match
+      type: keyword
+    threat.indicator.matched.type:
+      dashed_name: threat-indicator-matched-type
+      description: Identifies the type of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: domain-name
+      flat_name: threat.indicator.matched.type
+      ignore_above: 1024
+      level: extended
+      name: indicator.matched.type
+      normalize: []
+      short: Indicator type match
+      type: keyword
+    threat.indicator.module:
+      dashed_name: threat-indicator-module
+      description: Identifies the name of specific module this data is coming from.
+      example: threatintel
+      flat_name: threat.indicator.module
+      ignore_above: 1024
+      level: extended
+      name: indicator.module
+      normalize: []
+      short: Indicator module
+      type: keyword
+    threat.indicator.pe.architecture:
+      dashed_name: threat-indicator-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: threat.indicator.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    threat.indicator.pe.authentihash:
+      dashed_name: threat-indicator-pe-authentihash
+      description: Authentihash of the PE file.
+      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78
+      flat_name: threat.indicator.pe.authentihash
+      ignore_above: 1024
+      level: extended
+      name: authentihash
+      normalize: []
+      original_fieldset: pe
+      short: Authentihash of the PE file.
+      type: keyword
+    threat.indicator.pe.company:
+      dashed_name: threat-indicator-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: threat.indicator.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.pe.compile_timestamp:
+      dashed_name: threat-indicator-pe-compile-timestamp
+      description: Compile timestamp of the PE file.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.pe.compile_timestamp
+      level: extended
+      name: compile_timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Compile timestamp of the PE file.
+      type: date
+    threat.indicator.pe.compiler.name:
+      dashed_name: threat-indicator-pe-compiler-name
+      description: Name of the compiler
+      example: Clang
+      flat_name: threat.indicator.pe.compiler.name
+      ignore_above: 1024
+      level: extended
+      name: compiler.name
+      normalize: []
+      original_fieldset: pe
+      short: Name of the compiler
+      type: keyword
+    threat.indicator.pe.compiler.version:
+      dashed_name: threat-indicator-pe-compiler-version
+      description: Version of the compiler.
+      example: 11.0.0
+      flat_name: threat.indicator.pe.compiler.version
+      ignore_above: 1024
+      level: extended
+      name: compiler.version
+      normalize: []
+      original_fieldset: pe
+      short: Version of the compiler.
+      type: keyword
+    threat.indicator.pe.creation_date:
+      dashed_name: threat-indicator-pe-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.pe.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: pe
+      short: Build or compile date.
+      type: date
+    threat.indicator.pe.debug:
+      dashed_name: threat-indicator-pe-debug
+      description: 'An array containing an object for each debug entry, if present.
+
+        The expected fields for this nested object fall under the `debug.` prefix.'
+      flat_name: threat.indicator.pe.debug
+      level: extended
+      name: debug
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Debug information
+      type: nested
+    threat.indicator.pe.debug.offset:
+      dashed_name: threat-indicator-pe-debug-offset
+      description: Debug offset information.
+      example: 1296336
+      flat_name: threat.indicator.pe.debug.offset
+      ignore_above: 1024
+      level: extended
+      name: debug.offset
+      normalize: []
+      original_fieldset: pe
+      short: Debug offset information.
+      type: keyword
+    threat.indicator.pe.debug.size:
+      dashed_name: threat-indicator-pe-debug-size
+      description: Size of the debug information.
+      example: 816
+      flat_name: threat.indicator.pe.debug.size
+      format: bytes
+      level: extended
+      name: debug.size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the debug information.
+      type: long
+    threat.indicator.pe.debug.timestamp:
+      dashed_name: threat-indicator-pe-debug-timestamp
+      description: Timestamp of the debug information.
+      example: '2020-11-05T17:25:47.000Z'
+      flat_name: threat.indicator.pe.debug.timestamp
+      level: extended
+      name: debug.timestamp
+      normalize: []
+      original_fieldset: pe
+      short: Timestamp of the debug information.
+      type: date
+    threat.indicator.pe.debug.type:
+      dashed_name: threat-indicator-pe-debug-type
+      description: Information type generated by the debug options.
+      example: IMAGE_DEBUG_TYPE_POGO
+      flat_name: threat.indicator.pe.debug.type
+      ignore_above: 1024
+      level: extended
+      name: debug.type
+      normalize: []
+      original_fieldset: pe
+      short: Information type generated by the debug options.
+      type: keyword
+    threat.indicator.pe.description:
+      dashed_name: threat-indicator-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: threat.indicator.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.pe.entry_point:
+      dashed_name: threat-indicator-pe-entry-point
+      description: Relative byte offset to the base of the PE file.
+      example: 25856
+      flat_name: threat.indicator.pe.entry_point
+      ignore_above: 1024
+      level: extended
+      name: entry_point
+      normalize: []
+      original_fieldset: pe
+      short: Relative byte offset to the base of the PE file.
+      type: keyword
+    threat.indicator.pe.exports:
+      dashed_name: threat-indicator-pe-exports
+      description: List of symbols exported by PE
+      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
+      flat_name: threat.indicator.pe.exports
+      ignore_above: 1024
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of symbols exported by PE
+      type: keyword
+    threat.indicator.pe.file_version:
+      dashed_name: threat-indicator-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: threat.indicator.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    threat.indicator.pe.icon.hash.dhash:
+      dashed_name: threat-indicator-pe-icon-hash-dhash
+      description: Difference Hash (dhash) to find files with a visually similar icon
+        or thumbnail.
+      example: b806e17c8e330d82
+      flat_name: threat.indicator.pe.icon.hash.dhash
+      ignore_above: 1024
+      level: extended
+      name: icon.hash.dhash
+      normalize: []
+      original_fieldset: pe
+      short: Difference Hash (dhash) to find files with a visually similar icon or
+        thumbnail.
+      type: keyword
+    threat.indicator.pe.imphash:
+      dashed_name: threat-indicator-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: threat.indicator.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    threat.indicator.pe.imports:
+      dashed_name: threat-indicator-pe-imports
+      description: List of all imported functions
+      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA"
+        }'
+      flat_name: threat.indicator.pe.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: pe
+      short: List of all imported functions
+      type: flattened
+    threat.indicator.pe.machine_type:
+      dashed_name: threat-indicator-pe-machine-type
+      description: Machine type of the PE file.
+      example: Intel 386 or later, and compatibles
+      flat_name: threat.indicator.pe.machine_type
+      ignore_above: 1024
+      level: extended
+      name: machine_type
+      normalize: []
+      original_fieldset: pe
+      short: Machine type of the PE file.
+      type: keyword
+    threat.indicator.pe.original_file_name:
+      dashed_name: threat-indicator-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: threat.indicator.pe.original_file_name
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: wildcard
+    threat.indicator.pe.packers:
+      dashed_name: threat-indicator-pe-packers
+      description: List of packers and tools used.
+      example: '["ASPack v2.12", ".NET executable"]'
+      flat_name: threat.indicator.pe.packers
+      ignore_above: 1024
+      level: extended
+      name: packers
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of packers and tools used.
+      type: keyword
+    threat.indicator.pe.product:
+      dashed_name: threat-indicator-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      flat_name: threat.indicator.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    threat.indicator.pe.resources:
+      dashed_name: threat-indicator-pe-resources
+      description: 'An array containing an object for each PE resource, if present.
+
+        The expected fields for this nested object fall under the `resources.` prefix.'
+      flat_name: threat.indicator.pe.resources
+      level: extended
+      name: resources
+      normalize:
+      - array
+      original_fieldset: pe
+      short: PE resource information
+      type: nested
+    threat.indicator.pe.resources.chi2:
+      dashed_name: threat-indicator-pe-resources-chi2
+      description: Chi-square probability distribution.
+      example: -1
+      flat_name: threat.indicator.pe.resources.chi2
+      level: extended
+      name: resources.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    threat.indicator.pe.resources.entropy:
+      dashed_name: threat-indicator-pe-resources-entropy
+      description: Measurement of entropy randomness in the resources section.
+      example: 0, 1
+      flat_name: threat.indicator.pe.resources.entropy
+      level: extended
+      name: resources.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the resources section.
+      type: long
+    threat.indicator.pe.resources.filetype:
+      dashed_name: threat-indicator-pe-resources-filetype
+      description: File type of the resources section.
+      example: Data
+      flat_name: threat.indicator.pe.resources.filetype
+      ignore_above: 1024
+      level: extended
+      name: resources.filetype
+      normalize: []
+      original_fieldset: pe
+      short: File type of the resources section.
+      type: keyword
+    threat.indicator.pe.resources.language:
+      dashed_name: threat-indicator-pe-resources-language
+      description: Language identification.
+      example: CHINESE SIMPLIFIED
+      flat_name: threat.indicator.pe.resources.language
+      ignore_above: 1024
+      level: extended
+      name: resources.language
+      normalize: []
+      original_fieldset: pe
+      short: Language identification.
+      type: keyword
+    threat.indicator.pe.resources.sha256:
+      dashed_name: threat-indicator-pe-resources-sha256
+      description: SHA256 hash of resources section.
+      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+      flat_name: threat.indicator.pe.resources.sha256
+      ignore_above: 1024
+      level: extended
+      name: resources.sha256
+      normalize: []
+      original_fieldset: pe
+      short: SHA256 hash of resources section.
+      type: keyword
+    threat.indicator.pe.resources.type:
+      dashed_name: threat-indicator-pe-resources-type
+      description: Digest of resource types.
+      example: '["RT_VERSION", "RT_MANIFEST"]'
+      flat_name: threat.indicator.pe.resources.type
+      ignore_above: 1024
+      level: extended
+      name: resources.type
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of resource types.
+      type: keyword
+    threat.indicator.pe.rich_header.hash.md5:
+      dashed_name: threat-indicator-pe-rich-header-hash-md5
+      description: MD5 hash of the header for the PE file.
+      example: 5aa1aa0f2b4be70397a1e9e2b87627cd
+      flat_name: threat.indicator.pe.rich_header.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: rich_header.hash.md5
+      normalize: []
+      original_fieldset: pe
+      short: MD5 hash of the header for the PE file.
+      type: keyword
+    threat.indicator.pe.sections:
+      dashed_name: threat-indicator-pe-sections
+      description: Data about sections of compiled binary PE
+      flat_name: threat.indicator.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Data about sections of the compiled binary PE
+      type: nested
+    threat.indicator.pe.sections.chi2:
+      dashed_name: threat-indicator-pe-sections-chi2
+      description: Chi-square probability distribution.
+      example: 3027194
+      flat_name: threat.indicator.pe.sections.chi2
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: pe
+      short: Chi-square probability distribution.
+      type: long
+    threat.indicator.pe.sections.entropy:
+      dashed_name: threat-indicator-pe-sections-entropy
+      description: Measurement of entropy randomness in the file.
+      example: 6.24
+      flat_name: threat.indicator.pe.sections.entropy
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Measurement of entropy randomness in the file.
+      type: float
+    threat.indicator.pe.sections.flags:
+      dashed_name: threat-indicator-pe-sections-flags
+      description: Section flags of the file.
+      example: rx
+      flat_name: threat.indicator.pe.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: pe
+      short: Section flags of the file.
+      type: keyword
+    threat.indicator.pe.sections.name:
+      dashed_name: threat-indicator-pe-sections-name
+      description: Section names of the file.
+      example: .text, .data
+      flat_name: threat.indicator.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: Section names of the file.
+      type: keyword
+    threat.indicator.pe.sections.raw_size:
+      dashed_name: threat-indicator-pe-sections-raw-size
+      description: Size of the section or the dize of the initialized data on disk.
+      example: 198144
+      flat_name: threat.indicator.pe.sections.raw_size
+      format: bytes
+      level: extended
+      name: sections.raw_size
+      normalize: []
+      original_fieldset: pe
+      short: Size of the section or the dize of the initialized data on disk.
+      type: long
+    threat.indicator.pe.sections.virtual_address:
+      dashed_name: threat-indicator-pe-sections-virtual-address
+      description: Virtual address available to the file.
+      example: 8192
+      flat_name: threat.indicator.pe.sections.virtual_address
+      format: bytes
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: pe
+      short: Virtual address available to the file.
+      type: long
+    threat.indicator.port:
+      dashed_name: threat-indicator-port
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
+      flat_name: threat.indicator.port
+      level: extended
+      name: indicator.port
+      normalize: []
+      short: Indicator port
+      type: long
+    threat.indicator.provider:
+      dashed_name: threat-indicator-provider
+      description: Identifies the name of the intelligence provider.
+      example: VirusTotal
+      flat_name: threat.indicator.provider
+      ignore_above: 1024
+      level: extended
+      name: indicator.provider
+      normalize: []
+      short: Identifies the name of the intelligence provider.
+      type: keyword
+    threat.indicator.registry.data.bytes:
+      dashed_name: threat-indicator-registry-data-bytes
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      flat_name: threat.indicator.registry.data.bytes
+      ignore_above: 1024
+      level: extended
+      name: data.bytes
+      normalize: []
+      original_fieldset: registry
+      short: Original bytes written with base64 encoding.
+      type: keyword
+    threat.indicator.registry.data.strings:
+      dashed_name: threat-indicator-registry-data-strings
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      flat_name: threat.indicator.registry.data.strings
+      level: core
+      name: data.strings
+      normalize:
+      - array
+      original_fieldset: registry
+      short: List of strings representing what was written to the registry.
+      type: wildcard
+    threat.indicator.registry.data.type:
+      dashed_name: threat-indicator-registry-data-type
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      flat_name: threat.indicator.registry.data.type
+      ignore_above: 1024
+      level: core
+      name: data.type
+      normalize: []
+      original_fieldset: registry
+      short: Standard registry type for encoding contents
+      type: keyword
+    threat.indicator.registry.hive:
+      dashed_name: threat-indicator-registry-hive
+      description: Abbreviated name for the hive.
+      example: HKLM
+      flat_name: threat.indicator.registry.hive
+      ignore_above: 1024
+      level: core
+      name: hive
+      normalize: []
+      original_fieldset: registry
+      short: Abbreviated name for the hive.
+      type: keyword
+    threat.indicator.registry.key:
+      dashed_name: threat-indicator-registry-key
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      flat_name: threat.indicator.registry.key
+      level: core
+      name: key
+      normalize: []
+      original_fieldset: registry
+      short: Hive-relative path of keys.
+      type: wildcard
+    threat.indicator.registry.path:
+      dashed_name: threat-indicator-registry-path
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
+      flat_name: threat.indicator.registry.path
+      level: core
+      name: path
+      normalize: []
+      original_fieldset: registry
+      short: Full path, including hive, key and value
+      type: wildcard
+    threat.indicator.registry.value:
+      dashed_name: threat-indicator-registry-value
+      description: Name of the value written.
+      example: Debugger
+      flat_name: threat.indicator.registry.value
+      ignore_above: 1024
+      level: core
+      name: value
+      normalize: []
+      original_fieldset: registry
+      short: Name of the value written.
+      type: keyword
+    threat.indicator.scanner_stats:
+      dashed_name: threat-indicator-scanner-stats
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
+      flat_name: threat.indicator.scanner_stats
+      level: extended
+      name: indicator.scanner_stats
+      normalize: []
+      short: Scanner statistics
+      type: long
+    threat.indicator.sightings:
+      dashed_name: threat-indicator-sightings
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
+      flat_name: threat.indicator.sightings
+      level: extended
+      name: indicator.sightings
+      normalize: []
+      short: Number of times indicator observed
+      type: long
+    threat.indicator.type:
+      dashed_name: threat-indicator-type
+      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
+        Expected values\n  * autonomous-system\n  * artifact\n  * directory\n  * domain-name\n\
+        \  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n  * mac-addr\n  *\
+        \ mutex\n  * process\n  * software\n  * url\n  * user-account\n  * windows-registry-key\n\
+        \  * x-509-certificate"
+      example: ipv4-addr
+      flat_name: threat.indicator.type
+      ignore_above: 1024
+      level: extended
+      name: indicator.type
+      normalize: []
+      short: Type of indicator
+      type: keyword
+    threat.tactic.id:
+      dashed_name: threat-tactic-id
+      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+      example: TA0002
+      flat_name: threat.tactic.id
+      ignore_above: 1024
+      level: extended
+      name: tactic.id
+      normalize:
+      - array
+      short: Threat tactic id.
+      type: keyword
+    threat.tactic.name:
+      dashed_name: threat-tactic-name
+      description: "Name of the type of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+      example: Execution
+      flat_name: threat.tactic.name
+      ignore_above: 1024
+      level: extended
+      name: tactic.name
+      normalize:
+      - array
+      short: Threat tactic.
+      type: keyword
+    threat.tactic.reference:
+      dashed_name: threat-tactic-reference
+      description: "The reference url of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
+        \ )"
+      example: https://attack.mitre.org/tactics/TA0002/
+      flat_name: threat.tactic.reference
+      ignore_above: 1024
+      level: extended
+      name: tactic.reference
+      normalize:
+      - array
+      short: Threat tactic URL reference.
+      type: keyword
+    threat.technique.id:
+      dashed_name: threat-technique-id
+      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: T1059
+      flat_name: threat.technique.id
+      ignore_above: 1024
+      level: extended
+      name: technique.id
+      normalize:
+      - array
+      short: Threat technique id.
+      type: keyword
+    threat.technique.name:
+      dashed_name: threat-technique-name
+      description: "The name of technique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: Command and Scripting Interpreter
+      flat_name: threat.technique.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.technique.name.text
+        name: text
+        norms: false
+        type: text
+      name: technique.name
+      normalize:
+      - array
+      short: Threat technique name.
+      type: keyword
+    threat.technique.reference:
+      dashed_name: threat-technique-reference
+      description: "The reference url of technique used by this threat. You can use\
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: https://attack.mitre.org/techniques/T1059/
+      flat_name: threat.technique.reference
+      ignore_above: 1024
+      level: extended
+      name: technique.reference
+      normalize:
+      - array
+      short: Threat technique URL reference.
+      type: keyword
+    threat.technique.subtechnique.id:
+      dashed_name: threat-technique-subtechnique-id
+      description: "The full id of subtechnique used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: T1059.001
+      flat_name: threat.technique.subtechnique.id
+      ignore_above: 1024
+      level: extended
+      name: technique.subtechnique.id
+      normalize:
+      - array
+      short: Threat subtechnique id.
+      type: keyword
+    threat.technique.subtechnique.name:
+      dashed_name: threat-technique-subtechnique-name
+      description: "The name of subtechnique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: PowerShell
+      flat_name: threat.technique.subtechnique.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: threat.technique.subtechnique.name.text
+        name: text
+        norms: false
+        type: text
+      name: technique.subtechnique.name
+      normalize:
+      - array
+      short: Threat subtechnique name.
+      type: keyword
+    threat.technique.subtechnique.reference:
+      dashed_name: threat-technique-subtechnique-reference
+      description: "The reference url of subtechnique used by this threat. You can\
+        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: https://attack.mitre.org/techniques/T1059/001/
+      flat_name: threat.technique.subtechnique.reference
+      ignore_above: 1024
+      level: extended
+      name: technique.subtechnique.reference
+      normalize:
+      - array
+      short: Threat subtechnique URL reference.
+      type: keyword
+  group: 2
+  name: threat
+  nestings:
+  - threat.indicator.as
+  - threat.indicator.file
+  - threat.indicator.geo
+  - threat.indicator.hash
+  - threat.indicator.pe
+  - threat.indicator.registry
+  prefix: threat.
+  reused_here:
+  - full: threat.indicator.as
+    schema_name: as
+    short: Fields describing an Autonomous System (Internet routing prefix).
+  - full: threat.indicator.file
+    schema_name: file
+    short: Fields describing files.
+  - full: threat.indicator.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: threat.indicator.hash
+    schema_name: hash
+    short: Hashes, usually file hashes.
+  - full: threat.indicator.pe
+    schema_name: pe
+    short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: threat.indicator.registry
+    schema_name: registry
+    short: Fields related to Windows Registry operations.
   short: Fields to classify events and alerts according to a threat taxonomy.
   title: Threat
   type: group
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index 0d50f26547..d0e3ddd29d 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -3223,6 +3223,498 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "indicator": {
+            "properties": {
+              "as": {
+                "properties": {
+                  "number": {
+                    "type": "long"
+                  },
+                  "organization": {
+                    "properties": {
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "type": "wildcard"
+                      }
+                    }
+                  }
+                }
+              },
+              "confidence": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "dataset": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "type": "wildcard"
+              },
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "properties": {
+                  "address": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "file": {
+                "properties": {
+                  "accessed": {
+                    "type": "date"
+                  },
+                  "attributes": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "code_signature": {
+                    "properties": {
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "created": {
+                    "type": "date"
+                  },
+                  "ctime": {
+                    "type": "date"
+                  },
+                  "device": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "directory": {
+                    "type": "wildcard"
+                  },
+                  "drive_letter": {
+                    "ignore_above": 1,
+                    "type": "keyword"
+                  },
+                  "extension": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "gid": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "inode": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "mime_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "mode": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "mtime": {
+                    "type": "date"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "owner": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "path": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "size": {
+                    "type": "long"
+                  },
+                  "target_path": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "uid": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "first_seen": {
+                "type": "date"
+              },
+              "geo": {
+                "properties": {
+                  "city_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "continent_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "continent_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country_iso_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "country_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "location": {
+                    "type": "geo_point"
+                  },
+                  "name": {
+                    "type": "wildcard"
+                  },
+                  "postal_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "region_iso_code": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "region_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "timezone": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "ip": {
+                "type": "ip"
+              },
+              "last_seen": {
+                "type": "date"
+              },
+              "marking": {
+                "properties": {
+                  "tlp": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "matched": {
+                "properties": {
+                  "atomic": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "field": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "module": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "authentihash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "compile_timestamp": {
+                    "type": "date"
+                  },
+                  "compiler": {
+                    "properties": {
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "debug": {
+                    "properties": {
+                      "offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "size": {
+                        "type": "long"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entry_point": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exports": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "icon": {
+                    "properties": {
+                      "hash": {
+                        "properties": {
+                          "dhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "machine_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "original_file_name": {
+                    "type": "wildcard"
+                  },
+                  "packers": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "resources": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "filetype": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "language": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "rich_header": {
+                    "properties": {
+                      "hash": {
+                        "properties": {
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "float"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw_size": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "port": {
+                "type": "long"
+              },
+              "provider": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "registry": {
+                "properties": {
+                  "data": {
+                    "properties": {
+                      "bytes": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "strings": {
+                        "type": "wildcard"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hive": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "key": {
+                    "type": "wildcard"
+                  },
+                  "path": {
+                    "type": "wildcard"
+                  },
+                  "value": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "scanner_stats": {
+                "type": "long"
+              },
+              "sightings": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "tactic": {
             "properties": {
               "id": {
diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json
index 1a7e47a34b..6c55f638e4 100644
--- a/experimental/generated/elasticsearch/component/threat.json
+++ b/experimental/generated/elasticsearch/component/threat.json
@@ -12,6 +12,498 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "indicator": {
+              "properties": {
+                "as": {
+                  "properties": {
+                    "number": {
+                      "type": "long"
+                    },
+                    "organization": {
+                      "properties": {
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "type": "wildcard"
+                        }
+                      }
+                    }
+                  }
+                },
+                "confidence": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "dataset": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "type": "wildcard"
+                },
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "properties": {
+                    "address": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "file": {
+                  "properties": {
+                    "accessed": {
+                      "type": "date"
+                    },
+                    "attributes": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "code_signature": {
+                      "properties": {
+                        "exists": {
+                          "type": "boolean"
+                        },
+                        "signing_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "status": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "team_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "created": {
+                      "type": "date"
+                    },
+                    "ctime": {
+                      "type": "date"
+                    },
+                    "device": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "directory": {
+                      "type": "wildcard"
+                    },
+                    "drive_letter": {
+                      "ignore_above": 1,
+                      "type": "keyword"
+                    },
+                    "extension": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "gid": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "inode": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "mime_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "mode": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "mtime": {
+                      "type": "date"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "owner": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "path": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    },
+                    "size": {
+                      "type": "long"
+                    },
+                    "target_path": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "type": "wildcard"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "uid": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "first_seen": {
+                  "type": "date"
+                },
+                "geo": {
+                  "properties": {
+                    "city_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "continent_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "continent_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country_iso_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "country_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "location": {
+                      "type": "geo_point"
+                    },
+                    "name": {
+                      "type": "wildcard"
+                    },
+                    "postal_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "region_iso_code": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "region_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "timezone": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "ip": {
+                  "type": "ip"
+                },
+                "last_seen": {
+                  "type": "date"
+                },
+                "marking": {
+                  "properties": {
+                    "tlp": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "matched": {
+                  "properties": {
+                    "atomic": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "field": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "module": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "authentihash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "compile_timestamp": {
+                      "type": "date"
+                    },
+                    "compiler": {
+                      "properties": {
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "debug": {
+                      "properties": {
+                        "offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "size": {
+                          "type": "long"
+                        },
+                        "timestamp": {
+                          "type": "date"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entry_point": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exports": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "icon": {
+                      "properties": {
+                        "hash": {
+                          "properties": {
+                            "dhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "machine_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "original_file_name": {
+                      "type": "wildcard"
+                    },
+                    "packers": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "resources": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "filetype": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "language": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "rich_header": {
+                      "properties": {
+                        "hash": {
+                          "properties": {
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "float"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw_size": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "port": {
+                  "type": "long"
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "registry": {
+                  "properties": {
+                    "data": {
+                      "properties": {
+                        "bytes": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "strings": {
+                          "type": "wildcard"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hive": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "key": {
+                      "type": "wildcard"
+                    },
+                    "path": {
+                      "type": "wildcard"
+                    },
+                    "value": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "scanner_stats": {
+                  "type": "long"
+                },
+                "sightings": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "tactic": {
               "properties": {
                 "id": {
diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml
index 96cf45621c..8971f535d9 100644
--- a/experimental/schemas/as.yml
+++ b/experimental/schemas/as.yml
@@ -1,5 +1,9 @@
 ---
 - name: as
+  reusable:
+    expected:
+      - threat.indicator
+
   fields:
     - name: organization.name
       type: wildcard
diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml
index f4938d38be..a53f9ea3ff 100644
--- a/experimental/schemas/file.yml
+++ b/experimental/schemas/file.yml
@@ -1,5 +1,9 @@
 ---
 - name: file
+  reusable:
+    expected:
+      - threat.indicator
+
   fields:
     - name: directory
       type: wildcard
diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml
index d3445a5a2b..cbacd44b6e 100644
--- a/experimental/schemas/geo.yml
+++ b/experimental/schemas/geo.yml
@@ -1,5 +1,9 @@
 ---
   - name: geo
+    reusable:
+      expected:
+        - threat.indicator
+
     fields:
       - name: name
         type: wildcard
diff --git a/experimental/schemas/hash.yml b/experimental/schemas/hash.yml
new file mode 100644
index 0000000000..957ad48503
--- /dev/null
+++ b/experimental/schemas/hash.yml
@@ -0,0 +1,5 @@
+---
+- name: hash
+  reusable:
+    expected:
+      - threat.indicator
diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml
index 9ed4b4da8c..c5ef5c8349 100644
--- a/experimental/schemas/pe.yml
+++ b/experimental/schemas/pe.yml
@@ -1,5 +1,9 @@
 ---
 - name: pe
+  reusable:
+    expected:
+      - threat.indicator
+
   fields:
     - name: original_file_name
       type: wildcard
diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml
index 66f6f6b22c..ac9ac7e66c 100644
--- a/experimental/schemas/registry.yml
+++ b/experimental/schemas/registry.yml
@@ -1,5 +1,9 @@
 ---
 - name: registry
+  reusable:
+    expected:
+      - threat.indicator
+
   fields:
     - name: key
       type: wildcard
diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml
new file mode 100644
index 0000000000..523f909f06
--- /dev/null
+++ b/experimental/schemas/threat.yml
@@ -0,0 +1,196 @@
+---
+- name: threat
+
+  fields:
+
+  - name: indicator.first_seen
+    level: extended
+    type: date
+    short: Date/time indicator was first reported.
+    description: >
+      The date and time when intelligence source first reported sighting this indicator.
+
+    example: "2020-11-05T17:25:47.000Z"
+
+  - name: indicator.last_seen
+    level: extended
+    type: date
+    short: Date/time indicator was last reported.
+    description: >
+      The date and time when intelligence source last reported sighting this indicator.
+
+    example: "2020-11-05T17:25:47.000Z"
+
+  - name: indicator.sightings
+    level: extended
+    type: long
+    short: Number of times indicator observed
+    description: >
+      Number of times this indicator was observed conducting threat activity.
+
+    example: 20
+
+  - name: indicator.type
+    level: extended
+    type: keyword
+    short: Type of indicator
+    description: >
+      Type of indicator as represented by Cyber Observable in STIX 2.0.
+
+      Expected values
+        * autonomous-system
+        * artifact
+        * directory
+        * domain-name
+        * email-addr
+        * file
+        * ipv4-addr
+        * ipv6-addr
+        * mac-addr
+        * mutex
+        * process
+        * software
+        * url
+        * user-account
+        * windows-registry-key
+        * x-509-certificate
+
+    example: ipv4-addr
+
+  - name: indicator.description
+    level: extended
+    type: wildcard
+    short: Indicator description
+    description: >
+      Describes the type of action conducted by the threat.
+
+    example: IP x.x.x.x was observed delivering the Angler EK.
+
+  - name: indicator.scanner_stats
+    level: extended
+    type: long
+    short: Scanner statistics
+    description: >
+      Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+    example: 4
+
+  - name: indicator.provider
+    level: extended
+    type: keyword
+    description: >
+      Identifies the name of the intelligence provider.
+
+    example: VirusTotal
+
+  - name: indicator.confidence
+    level: extended
+    type: keyword
+    short: Indicator confidence rating
+    description: >
+      Identifies the confidence rating assigned by the provider using STIX confidence scales.
+
+      Expected values:
+        * Not Specified, None, Low, Medium, High
+        * 0-10
+        * Admirality Scale (1-6)
+        * DNI Scale (5-95)
+        * WEP Scale (Impossible - Certain)
+
+    example: High
+
+  - name: indicator.module
+    level: extended
+    type: keyword
+    short: Indicator module
+    description: >
+      Identifies the name of specific module this data is coming from.
+
+    example: threatintel
+
+  - name: indicator.dataset
+    level: extended
+    type: keyword
+    short: Indicator dataset
+    description: >
+      Identifies the name of specific dataset from the intelligence source.
+
+    example: threatintel.abusemalware
+
+  - name: indicator.ip
+    level: extended
+    type: ip
+    short: Indicator IP address
+    description: >
+      Identifies a threat indicator as an IP address (irrespective of direction).
+
+    example: 1.2.3.4
+
+  - name: indicator.domain
+    level: extended
+    type: keyword
+    short: Indicator domain name
+    description: >
+      Identifies a threat indicator as a domain (irrespective of direction).
+
+    example: example.com
+
+  - name: indicator.port
+    level: extended
+    type: long
+    short: Indicator port
+    description: >
+      Identifies a threat indicator as a port number (irrespective of direction).
+
+    example: 443
+
+  - name: indicator.email.address
+    level: extended
+    type: keyword
+    short: Indicator email address
+    description: >
+      Identifies a threat indicator as an email address (irrespective of direction).
+
+    example: phish@example.com
+
+  - name: indicator.marking.tlp
+    level: extended
+    type: keyword
+    short: Indicator TLP marking
+    description: >
+      Traffic Light Protocol sharing markings.
+
+      Expected values are:
+        * White
+        * Green
+        * Amber
+        * Red
+
+    example: White
+
+  - name: indicator.matched.atomic
+    level: extended
+    type: keyword
+    short: Indicator atomic match
+    description: >
+      Identifies the atomic indicator that matched a local environment endpoint or network event.
+
+    example: example.com
+
+  - name: indicator.matched.field
+    level: extended
+    type: keyword
+    short: Indicator field match
+    description: >
+      Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+    example: file.hash.sha256
+
+  - name: indicator.matched.type
+    level: extended
+    type: keyword
+    short: Indicator type match
+    description: >
+      Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
+
+    example: domain-name

From bdf980c7d9f32fb419136e2e81dd135209f8775f Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 17 Feb 2021 22:50:25 -0600
Subject: [PATCH 83/90] Stage 1 changes for RFC 0015 - add elf fieldset (#1261)
 (#1275)

---
 CHANGELOG.next.md                             |    1 +
 experimental/generated/beats/fields.ecs.yml   |  702 +++++++++
 experimental/generated/csv/fields.csv         |   87 ++
 experimental/generated/ecs/ecs_flat.yml       |  960 +++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 1277 +++++++++++++++++
 .../generated/elasticsearch/7/template.json   |  351 +++++
 .../elasticsearch/component/file.json         |  117 ++
 .../elasticsearch/component/process.json      |  234 +++
 experimental/schemas/elf.yml                  |  198 +++
 9 files changed, 3927 insertions(+)
 create mode 100644 experimental/schemas/elf.yml

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a3c3517daf..9aaa6af2ea 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -29,6 +29,7 @@ Thanks, you're awesome :-) -->
 * Extended `pe` fields added to experimental schema. #1256
 * Added `code_signature.team_id`, `code_signature.signing_id`. #1249
 * Add `threat.indicator` fields to experimental schema. #1268
+* Add `elf` fieldset to experimental schema. #1261
 
 #### Improvements
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index b3a81e12e2..13bd5d57ab 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1520,6 +1520,186 @@
         ECS versions -- this field lets integrations adjust to the schema version
         of the events.'
       example: 1.0.0
+  - name: elf
+    title: ELF Header
+    group: 2
+    description: These fields contain Linux Executable Linkable Format (ELF) metadata.
+    type: group
+    fields:
+    - name: architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      default_field: false
+    - name: cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: sections
+      level: extended
+      type: nested
+      description: Section information of the ELF file.
+      default_field: false
+    - name: sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: segments
+      level: extended
+      type: nested
+      description: ELF object segment list.
+      default_field: false
+    - name: segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object
+      default_field: false
+    - name: telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      default_field: false
   - name: error
     title: Error
     group: 2
@@ -1977,6 +2157,180 @@
         The value should be uppercase, and not include the colon.'
       example: C
       default_field: false
+    - name: elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      default_field: false
+    - name: elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: elf.sections
+      level: extended
+      type: nested
+      description: Section information of the ELF file.
+      default_field: false
+    - name: elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: elf.segments
+      level: extended
+      type: nested
+      description: ELF object segment list.
+      default_field: false
+    - name: elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object
+      default_field: false
+    - name: elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      default_field: false
     - name: extension
       level: extended
       type: keyword
@@ -4325,6 +4679,180 @@
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
+    - name: elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      default_field: false
+    - name: elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: elf.sections
+      level: extended
+      type: nested
+      description: Section information of the ELF file.
+      default_field: false
+    - name: elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: elf.segments
+      level: extended
+      type: nested
+      description: ELF object segment list.
+      default_field: false
+    - name: elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object
+      default_field: false
+    - name: elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      default_field: false
     - name: entity_id
       level: extended
       type: keyword
@@ -4492,6 +5020,180 @@
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
+    - name: parent.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      default_field: false
+    - name: parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: parent.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.elf.sections
+      level: extended
+      type: nested
+      description: Section information of the ELF file.
+      default_field: false
+    - name: parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: parent.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: parent.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: parent.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: parent.elf.segments
+      level: extended
+      type: nested
+      description: ELF object segment list.
+      default_field: false
+    - name: parent.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: parent.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: parent.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object
+      default_field: false
+    - name: parent.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      default_field: false
     - name: parent.entity_id
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index b9b7569221..4a34177817 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -221,6 +221,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
 1.9.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
 1.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+1.9.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
+1.9.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+1.9.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+1.9.0-dev+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types.
+1.9.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+1.9.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+1.9.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+1.9.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+1.9.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+1.9.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+1.9.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+1.9.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+1.9.0-dev+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types.
+1.9.0-dev+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file.
+1.9.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+1.9.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+1.9.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+1.9.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+1.9.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+1.9.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+1.9.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+1.9.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+1.9.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+1.9.0-dev+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list.
+1.9.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+1.9.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+1.9.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
+1.9.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
 1.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
 1.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 1.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
@@ -469,6 +498,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.9.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+1.9.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
+1.9.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+1.9.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+1.9.0-dev+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types.
+1.9.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+1.9.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+1.9.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+1.9.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+1.9.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+1.9.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+1.9.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+1.9.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+1.9.0-dev+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types.
+1.9.0-dev+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file.
+1.9.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+1.9.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+1.9.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+1.9.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+1.9.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+1.9.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+1.9.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+1.9.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+1.9.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+1.9.0-dev+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list.
+1.9.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+1.9.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+1.9.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
+1.9.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
 1.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 1.9.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.9.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
@@ -491,6 +549,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.9.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+1.9.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types.
+1.9.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+1.9.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+1.9.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+1.9.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+1.9.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+1.9.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types.
+1.9.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+1.9.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list.
+1.9.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+1.9.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+1.9.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
+1.9.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
 1.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 1.9.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
 1.9.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index f51f63864f..ed5d99cefc 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3130,6 +3130,326 @@ file.drive_letter:
   normalize: []
   short: Drive letter where the file is located.
   type: keyword
+file.elf.architecture:
+  dashed_name: file-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: file.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+file.elf.byte_order:
+  dashed_name: file-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian, Big Endian
+  flat_name: file.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+file.elf.cpu_type:
+  dashed_name: file-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: file.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+file.elf.creation_date:
+  dashed_name: file-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: file.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+file.elf.exports:
+  dashed_name: file-elf-exports
+  description: List of exported element names and types.
+  flat_name: file.elf.exports
+  level: extended
+  name: exports
+  normalize: []
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+file.elf.header.abi_version:
+  dashed_name: file-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: file.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+file.elf.header.class:
+  dashed_name: file-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: file.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+file.elf.header.data:
+  dashed_name: file-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: file.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+file.elf.header.entrypoint:
+  dashed_name: file-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: file.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+file.elf.header.object_version:
+  dashed_name: file-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: file.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+file.elf.header.os_abi:
+  dashed_name: file-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: file.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+file.elf.header.type:
+  dashed_name: file-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: file.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+file.elf.header.version:
+  dashed_name: file-elf-header-version
+  description: Version of the ELF header.
+  flat_name: file.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+file.elf.imports:
+  dashed_name: file-elf-imports
+  description: List of imported element names and types.
+  flat_name: file.elf.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+file.elf.sections:
+  dashed_name: file-elf-sections
+  description: Section information of the ELF file.
+  flat_name: file.elf.sections
+  level: extended
+  name: sections
+  normalize: []
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+file.elf.sections.chi2:
+  dashed_name: file-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: file.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+file.elf.sections.entropy:
+  dashed_name: file-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: file.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+file.elf.sections.flags:
+  dashed_name: file-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: file.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+file.elf.sections.name:
+  dashed_name: file-elf-sections-name
+  description: ELF Section List name.
+  flat_name: file.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+file.elf.sections.physical_offset:
+  dashed_name: file-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: file.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+file.elf.sections.physical_size:
+  dashed_name: file-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: file.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+file.elf.sections.type:
+  dashed_name: file-elf-sections-type
+  description: ELF Section List type.
+  flat_name: file.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+file.elf.sections.virtual_address:
+  dashed_name: file-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: file.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+file.elf.sections.virtual_size:
+  dashed_name: file-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: file.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+file.elf.segments:
+  dashed_name: file-elf-segments
+  description: ELF object segment list.
+  flat_name: file.elf.segments
+  level: extended
+  name: segments
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+file.elf.segments.sections:
+  dashed_name: file-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: file.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+file.elf.segments.type:
+  dashed_name: file-elf-segments-type
+  description: ELF object segment type.
+  flat_name: file.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+file.elf.shared_libraries:
+  dashed_name: file-elf-shared-libraries
+  description: List of shared libraries used by this ELF object
+  flat_name: file.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object
+  type: keyword
+file.elf.telfhash:
+  dashed_name: file-elf-telfhash
+  description: telfhash is symbol hash for ELF files, just like imphash is imports
+    hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+  flat_name: file.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF files
+  type: keyword
 file.extension:
   dashed_name: file-extension
   description: 'File extension, excluding the leading dot.
@@ -6142,6 +6462,326 @@ process.command_line:
   normalize: []
   short: Full command line that started the process.
   type: wildcard
+process.elf.architecture:
+  dashed_name: process-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.elf.byte_order:
+  dashed_name: process-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian, Big Endian
+  flat_name: process.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.elf.cpu_type:
+  dashed_name: process-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.elf.creation_date:
+  dashed_name: process-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.elf.exports:
+  dashed_name: process-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.elf.exports
+  level: extended
+  name: exports
+  normalize: []
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.elf.header.abi_version:
+  dashed_name: process-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.elf.header.class:
+  dashed_name: process-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.elf.header.data:
+  dashed_name: process-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.elf.header.entrypoint:
+  dashed_name: process-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.elf.header.object_version:
+  dashed_name: process-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.elf.header.os_abi:
+  dashed_name: process-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.elf.header.type:
+  dashed_name: process-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.elf.header.version:
+  dashed_name: process-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.elf.imports:
+  dashed_name: process-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.elf.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.elf.sections:
+  dashed_name: process-elf-sections
+  description: Section information of the ELF file.
+  flat_name: process.elf.sections
+  level: extended
+  name: sections
+  normalize: []
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.elf.sections.chi2:
+  dashed_name: process-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.elf.sections.entropy:
+  dashed_name: process-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.elf.sections.flags:
+  dashed_name: process-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.elf.sections.name:
+  dashed_name: process-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.elf.sections.physical_offset:
+  dashed_name: process-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.elf.sections.physical_size:
+  dashed_name: process-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.elf.sections.type:
+  dashed_name: process-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.elf.sections.virtual_address:
+  dashed_name: process-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.elf.sections.virtual_size:
+  dashed_name: process-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.elf.segments:
+  dashed_name: process-elf-segments
+  description: ELF object segment list.
+  flat_name: process.elf.segments
+  level: extended
+  name: segments
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.elf.segments.sections:
+  dashed_name: process-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.elf.segments.type:
+  dashed_name: process-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.elf.shared_libraries:
+  dashed_name: process-elf-shared-libraries
+  description: List of shared libraries used by this ELF object
+  flat_name: process.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object
+  type: keyword
+process.elf.telfhash:
+  dashed_name: process-elf-telfhash
+  description: telfhash is symbol hash for ELF files, just like imphash is imports
+    hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+  flat_name: process.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF files
+  type: keyword
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -6409,6 +7049,326 @@ process.parent.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
+process.parent.elf.architecture:
+  dashed_name: process-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.parent.elf.byte_order:
+  dashed_name: process-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian, Big Endian
+  flat_name: process.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.parent.elf.cpu_type:
+  dashed_name: process-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.parent.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.parent.elf.creation_date:
+  dashed_name: process-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.parent.elf.exports:
+  dashed_name: process-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.parent.elf.exports
+  level: extended
+  name: exports
+  normalize: []
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.parent.elf.header.abi_version:
+  dashed_name: process-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.parent.elf.header.class:
+  dashed_name: process-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.parent.elf.header.data:
+  dashed_name: process-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.parent.elf.header.entrypoint:
+  dashed_name: process-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.parent.elf.header.object_version:
+  dashed_name: process-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.parent.elf.header.os_abi:
+  dashed_name: process-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.parent.elf.header.type:
+  dashed_name: process-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.parent.elf.header.version:
+  dashed_name: process-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.parent.elf.imports:
+  dashed_name: process-parent-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.elf.imports
+  level: extended
+  name: imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.parent.elf.sections:
+  dashed_name: process-parent-elf-sections
+  description: Section information of the ELF file.
+  flat_name: process.parent.elf.sections
+  level: extended
+  name: sections
+  normalize: []
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.parent.elf.sections.chi2:
+  dashed_name: process-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.parent.elf.sections.entropy:
+  dashed_name: process-parent-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.elf.sections.flags:
+  dashed_name: process-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.parent.elf.sections.name:
+  dashed_name: process-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.parent.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.parent.elf.sections.physical_offset:
+  dashed_name: process-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.parent.elf.sections.physical_size:
+  dashed_name: process-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.parent.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.parent.elf.sections.type:
+  dashed_name: process-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.parent.elf.sections.virtual_address:
+  dashed_name: process-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.parent.elf.sections.virtual_size:
+  dashed_name: process-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.parent.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.parent.elf.segments:
+  dashed_name: process-parent-elf-segments
+  description: ELF object segment list.
+  flat_name: process.parent.elf.segments
+  level: extended
+  name: segments
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.parent.elf.segments.sections:
+  dashed_name: process-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.parent.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.parent.elf.segments.type:
+  dashed_name: process-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.parent.elf.shared_libraries:
+  dashed_name: process-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object
+  flat_name: process.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object
+  type: keyword
+process.parent.elf.telfhash:
+  dashed_name: process-parent-elf-telfhash
+  description: telfhash is symbol hash for ELF files, just like imphash is imports
+    hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+  flat_name: process.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF files
+  type: keyword
 process.parent.entity_id:
   dashed_name: process-parent-entity-id
   description: 'Unique identifier for the process.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 46621ccf87..235d539e8b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2568,6 +2568,315 @@ ecs:
   short: Meta-information specific to ECS.
   title: ECS
   type: group
+elf:
+  description: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  fields:
+    elf.architecture:
+      dashed_name: elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      short: Machine architecture of the ELF file.
+      type: keyword
+    elf.byte_order:
+      dashed_name: elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      flat_name: elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      short: Byte sequence of ELF file.
+      type: keyword
+    elf.cpu_type:
+      dashed_name: elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      short: CPU type of the ELF file.
+      type: keyword
+    elf.creation_date:
+      dashed_name: elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      short: Build or compile date.
+      type: date
+    elf.exports:
+      dashed_name: elf-exports
+      description: List of exported element names and types.
+      flat_name: elf.exports
+      level: extended
+      name: exports
+      normalize: []
+      short: List of exported element names and types.
+      type: flattened
+    elf.header.abi_version:
+      dashed_name: elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    elf.header.class:
+      dashed_name: elf-header-class
+      description: Header class of the ELF file.
+      flat_name: elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      short: Header class of the ELF file.
+      type: keyword
+    elf.header.data:
+      dashed_name: elf-header-data
+      description: Data table of the ELF header.
+      flat_name: elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      short: Data table of the ELF header.
+      type: keyword
+    elf.header.entrypoint:
+      dashed_name: elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      short: Header entrypoint of the ELF file.
+      type: long
+    elf.header.object_version:
+      dashed_name: elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    elf.header.os_abi:
+      dashed_name: elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    elf.header.type:
+      dashed_name: elf-header-type
+      description: Header type of the ELF file.
+      flat_name: elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      short: Header type of the ELF file.
+      type: keyword
+    elf.header.version:
+      dashed_name: elf-header-version
+      description: Version of the ELF header.
+      flat_name: elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      short: Version of the ELF header.
+      type: keyword
+    elf.imports:
+      dashed_name: elf-imports
+      description: List of imported element names and types.
+      flat_name: elf.imports
+      level: extended
+      name: imports
+      normalize: []
+      short: List of imported element names and types.
+      type: flattened
+    elf.sections:
+      dashed_name: elf-sections
+      description: Section information of the ELF file.
+      flat_name: elf.sections
+      level: extended
+      name: sections
+      normalize: []
+      short: Section information of the ELF file.
+      type: nested
+    elf.sections.chi2:
+      dashed_name: elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      short: Chi-square probability distribution of the section.
+      type: long
+    elf.sections.entropy:
+      dashed_name: elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      short: Shannon entropy calculation from the section.
+      type: long
+    elf.sections.flags:
+      dashed_name: elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      short: ELF Section List flags.
+      type: keyword
+    elf.sections.name:
+      dashed_name: elf-sections-name
+      description: ELF Section List name.
+      flat_name: elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      short: ELF Section List name.
+      type: keyword
+    elf.sections.physical_offset:
+      dashed_name: elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      short: ELF Section List offset.
+      type: keyword
+    elf.sections.physical_size:
+      dashed_name: elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      short: ELF Section List physical size.
+      type: long
+    elf.sections.type:
+      dashed_name: elf-sections-type
+      description: ELF Section List type.
+      flat_name: elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      short: ELF Section List type.
+      type: keyword
+    elf.sections.virtual_address:
+      dashed_name: elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      short: ELF Section List virtual address.
+      type: long
+    elf.sections.virtual_size:
+      dashed_name: elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      short: ELF Section List virtual size.
+      type: long
+    elf.segments:
+      dashed_name: elf-segments
+      description: ELF object segment list.
+      flat_name: elf.segments
+      level: extended
+      name: segments
+      normalize: []
+      short: ELF object segment list.
+      type: nested
+    elf.segments.sections:
+      dashed_name: elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      short: ELF object segment sections.
+      type: keyword
+    elf.segments.type:
+      dashed_name: elf-segments-type
+      description: ELF object segment type.
+      flat_name: elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      short: ELF object segment type.
+      type: keyword
+    elf.shared_libraries:
+      dashed_name: elf-shared-libraries
+      description: List of shared libraries used by this ELF object
+      flat_name: elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      short: List of shared libraries used by this ELF object
+      type: keyword
+    elf.telfhash:
+      dashed_name: elf-telfhash
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      flat_name: elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      short: telfhash hash for ELF files
+      type: keyword
+  group: 2
+  name: elf
+  prefix: elf.
+  reusable:
+    expected:
+    - as: elf
+      at: file
+      full: file.elf
+    - as: elf
+      at: process
+      full: process.elf
+    top_level: false
+  short: These fields contain Linux Executable Linkable Format (ELF) metadata.
+  title: ELF Header
+  type: group
 error:
   description: 'These fields can represent errors of any kind.
 
@@ -3610,6 +3919,326 @@ file:
       normalize: []
       short: Drive letter where the file is located.
       type: keyword
+    file.elf.architecture:
+      dashed_name: file-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: file.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    file.elf.byte_order:
+      dashed_name: file-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      flat_name: file.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    file.elf.cpu_type:
+      dashed_name: file-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: file.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    file.elf.creation_date:
+      dashed_name: file-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: file.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    file.elf.exports:
+      dashed_name: file-elf-exports
+      description: List of exported element names and types.
+      flat_name: file.elf.exports
+      level: extended
+      name: exports
+      normalize: []
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    file.elf.header.abi_version:
+      dashed_name: file-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: file.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    file.elf.header.class:
+      dashed_name: file-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: file.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    file.elf.header.data:
+      dashed_name: file-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: file.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    file.elf.header.entrypoint:
+      dashed_name: file-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: file.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    file.elf.header.object_version:
+      dashed_name: file-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: file.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    file.elf.header.os_abi:
+      dashed_name: file-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: file.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    file.elf.header.type:
+      dashed_name: file-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: file.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    file.elf.header.version:
+      dashed_name: file-elf-header-version
+      description: Version of the ELF header.
+      flat_name: file.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    file.elf.imports:
+      dashed_name: file-elf-imports
+      description: List of imported element names and types.
+      flat_name: file.elf.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    file.elf.sections:
+      dashed_name: file-elf-sections
+      description: Section information of the ELF file.
+      flat_name: file.elf.sections
+      level: extended
+      name: sections
+      normalize: []
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    file.elf.sections.chi2:
+      dashed_name: file-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: file.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    file.elf.sections.entropy:
+      dashed_name: file-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: file.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    file.elf.sections.flags:
+      dashed_name: file-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: file.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    file.elf.sections.name:
+      dashed_name: file-elf-sections-name
+      description: ELF Section List name.
+      flat_name: file.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    file.elf.sections.physical_offset:
+      dashed_name: file-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: file.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    file.elf.sections.physical_size:
+      dashed_name: file-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: file.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    file.elf.sections.type:
+      dashed_name: file-elf-sections-type
+      description: ELF Section List type.
+      flat_name: file.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    file.elf.sections.virtual_address:
+      dashed_name: file-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: file.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    file.elf.sections.virtual_size:
+      dashed_name: file-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: file.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    file.elf.segments:
+      dashed_name: file-elf-segments
+      description: ELF object segment list.
+      flat_name: file.elf.segments
+      level: extended
+      name: segments
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    file.elf.segments.sections:
+      dashed_name: file-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: file.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    file.elf.segments.type:
+      dashed_name: file-elf-segments-type
+      description: ELF object segment type.
+      flat_name: file.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    file.elf.shared_libraries:
+      dashed_name: file-elf-shared-libraries
+      description: List of shared libraries used by this ELF object
+      flat_name: file.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object
+      type: keyword
+    file.elf.telfhash:
+      dashed_name: file-elf-telfhash
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      flat_name: file.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF files
+      type: keyword
     file.extension:
       dashed_name: file-extension
       description: 'File extension, excluding the leading dot.
@@ -4598,6 +5227,7 @@ file:
   name: file
   nestings:
   - file.code_signature
+  - file.elf
   - file.hash
   - file.pe
   - file.x509
@@ -4621,6 +5251,9 @@ file:
   - full: file.x509
     schema_name: x509
     short: These fields contain x509 certificate metadata.
+  - full: file.elf
+    schema_name: elf
+    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
   short: Fields describing files.
   title: File
   type: group
@@ -7673,6 +8306,326 @@ process:
       normalize: []
       short: Full command line that started the process.
       type: wildcard
+    process.elf.architecture:
+      dashed_name: process-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.elf.byte_order:
+      dashed_name: process-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      flat_name: process.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.elf.cpu_type:
+      dashed_name: process-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.elf.creation_date:
+      dashed_name: process-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.elf.exports:
+      dashed_name: process-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.elf.exports
+      level: extended
+      name: exports
+      normalize: []
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.elf.header.abi_version:
+      dashed_name: process-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.elf.header.class:
+      dashed_name: process-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.elf.header.data:
+      dashed_name: process-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.elf.header.entrypoint:
+      dashed_name: process-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.elf.header.object_version:
+      dashed_name: process-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.elf.header.os_abi:
+      dashed_name: process-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.elf.header.type:
+      dashed_name: process-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.elf.header.version:
+      dashed_name: process-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.elf.imports:
+      dashed_name: process-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.elf.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.elf.sections:
+      dashed_name: process-elf-sections
+      description: Section information of the ELF file.
+      flat_name: process.elf.sections
+      level: extended
+      name: sections
+      normalize: []
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.elf.sections.chi2:
+      dashed_name: process-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.elf.sections.entropy:
+      dashed_name: process-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.elf.sections.flags:
+      dashed_name: process-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.elf.sections.name:
+      dashed_name: process-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.elf.sections.physical_offset:
+      dashed_name: process-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.elf.sections.physical_size:
+      dashed_name: process-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.elf.sections.type:
+      dashed_name: process-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.elf.sections.virtual_address:
+      dashed_name: process-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.elf.sections.virtual_size:
+      dashed_name: process-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.elf.segments:
+      dashed_name: process-elf-segments
+      description: ELF object segment list.
+      flat_name: process.elf.segments
+      level: extended
+      name: segments
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.elf.segments.sections:
+      dashed_name: process-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.elf.segments.type:
+      dashed_name: process-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.elf.shared_libraries:
+      dashed_name: process-elf-shared-libraries
+      description: List of shared libraries used by this ELF object
+      flat_name: process.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object
+      type: keyword
+    process.elf.telfhash:
+      dashed_name: process-elf-telfhash
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      flat_name: process.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF files
+      type: keyword
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -7940,6 +8893,326 @@ process:
       original_fieldset: process
       short: Full command line that started the process.
       type: wildcard
+    process.parent.elf.architecture:
+      dashed_name: process-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.parent.elf.byte_order:
+      dashed_name: process-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian, Big Endian
+      flat_name: process.parent.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.parent.elf.cpu_type:
+      dashed_name: process-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.parent.elf.creation_date:
+      dashed_name: process-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.parent.elf.exports:
+      dashed_name: process-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.parent.elf.exports
+      level: extended
+      name: exports
+      normalize: []
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.parent.elf.header.abi_version:
+      dashed_name: process-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.parent.elf.header.class:
+      dashed_name: process-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.parent.elf.header.data:
+      dashed_name: process-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.parent.elf.header.entrypoint:
+      dashed_name: process-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.parent.elf.header.object_version:
+      dashed_name: process-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.parent.elf.header.os_abi:
+      dashed_name: process-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.parent.elf.header.type:
+      dashed_name: process-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.parent.elf.header.version:
+      dashed_name: process-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.parent.elf.imports:
+      dashed_name: process-parent-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.elf.imports
+      level: extended
+      name: imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.elf.sections:
+      dashed_name: process-parent-elf-sections
+      description: Section information of the ELF file.
+      flat_name: process.parent.elf.sections
+      level: extended
+      name: sections
+      normalize: []
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.parent.elf.sections.chi2:
+      dashed_name: process-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.parent.elf.sections.entropy:
+      dashed_name: process-parent-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.elf.sections.flags:
+      dashed_name: process-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.parent.elf.sections.name:
+      dashed_name: process-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.parent.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.parent.elf.sections.physical_offset:
+      dashed_name: process-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.parent.elf.sections.physical_size:
+      dashed_name: process-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.parent.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.parent.elf.sections.type:
+      dashed_name: process-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.parent.elf.sections.virtual_address:
+      dashed_name: process-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.parent.elf.sections.virtual_size:
+      dashed_name: process-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.parent.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.parent.elf.segments:
+      dashed_name: process-parent-elf-segments
+      description: ELF object segment list.
+      flat_name: process.parent.elf.segments
+      level: extended
+      name: segments
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.parent.elf.segments.sections:
+      dashed_name: process-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.parent.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.parent.elf.segments.type:
+      dashed_name: process-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.parent.elf.shared_libraries:
+      dashed_name: process-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object
+      flat_name: process.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object
+      type: keyword
+    process.parent.elf.telfhash:
+      dashed_name: process-parent-elf-telfhash
+      description: telfhash is symbol hash for ELF files, just like imphash is imports
+        hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      flat_name: process.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF files
+      type: keyword
     process.parent.entity_id:
       dashed_name: process-parent-entity-id
       description: 'Unique identifier for the process.
@@ -9204,6 +10477,7 @@ process:
   name: process
   nestings:
   - process.code_signature
+  - process.elf
   - process.hash
   - process.parent
   - process.pe
@@ -9224,6 +10498,9 @@ process:
   - full: process.pe
     schema_name: pe
     short: These fields contain Windows Portable Executable (PE) metadata.
+  - full: process.elf
+    schema_name: elf
+    short: These fields contain Linux Executable Linkable Format (ELF) metadata.
   - full: process.parent
     schema_name: process
     short: These fields contain information about a process.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index d0e3ddd29d..ccc3dda09f 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -1004,6 +1004,123 @@
             "ignore_above": 1,
             "type": "keyword"
           },
+          "elf": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "byte_order": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "cpu_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "exports": {
+                "type": "flattened"
+              },
+              "header": {
+                "properties": {
+                  "abi_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "class": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "data": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entrypoint": {
+                    "type": "long"
+                  },
+                  "object_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "os_abi": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "segments": {
+                "properties": {
+                  "sections": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "shared_libraries": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "telfhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "extension": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -2162,6 +2279,123 @@
             },
             "type": "wildcard"
           },
+          "elf": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "byte_order": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "cpu_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "exports": {
+                "type": "flattened"
+              },
+              "header": {
+                "properties": {
+                  "abi_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "class": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "data": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entrypoint": {
+                    "type": "long"
+                  },
+                  "object_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "os_abi": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "sections": {
+                "properties": {
+                  "chi2": {
+                    "type": "long"
+                  },
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_offset": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "virtual_address": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "segments": {
+                "properties": {
+                  "sections": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "nested"
+              },
+              "shared_libraries": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "telfhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "entity_id": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -2258,6 +2492,123 @@
                 },
                 "type": "wildcard"
               },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "entity_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index 10df6dba11..d829ebfd29 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -61,6 +61,123 @@
               "ignore_above": 1,
               "type": "keyword"
             },
+            "elf": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "byte_order": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "cpu_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "creation_date": {
+                  "type": "date"
+                },
+                "exports": {
+                  "type": "flattened"
+                },
+                "header": {
+                  "properties": {
+                    "abi_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "class": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "data": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entrypoint": {
+                      "type": "long"
+                    },
+                    "object_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "os_abi": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "sections": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_offset": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "virtual_address": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "segments": {
+                  "properties": {
+                    "sections": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "shared_libraries": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "telfhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "extension": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index 6433bd60cf..75adf5c85c 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -53,6 +53,123 @@
               },
               "type": "wildcard"
             },
+            "elf": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "byte_order": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "cpu_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "creation_date": {
+                  "type": "date"
+                },
+                "exports": {
+                  "type": "flattened"
+                },
+                "header": {
+                  "properties": {
+                    "abi_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "class": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "data": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entrypoint": {
+                      "type": "long"
+                    },
+                    "object_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "os_abi": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "sections": {
+                  "properties": {
+                    "chi2": {
+                      "type": "long"
+                    },
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_offset": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "virtual_address": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "segments": {
+                  "properties": {
+                    "sections": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "shared_libraries": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "telfhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "entity_id": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -149,6 +266,123 @@
                   },
                   "type": "wildcard"
                 },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "entity_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/schemas/elf.yml b/experimental/schemas/elf.yml
new file mode 100644
index 0000000000..82b17da920
--- /dev/null
+++ b/experimental/schemas/elf.yml
@@ -0,0 +1,198 @@
+---
+- name: elf
+  title: ELF Header
+  group: 2
+  description: >
+    These fields contain Linux Executable Linkable Format (ELF) metadata.
+  type: group
+  reusable:
+    top_level: false
+    expected:
+      - file
+      - process
+  fields:
+    - name: creation_date
+      short: Build or compile date.
+      description: >
+        Extracted when possible from the file's metadata. Indicates when it was
+        built or compiled. It can also be faked by malware creators.
+      type: date
+      level: extended
+
+    - name: architecture
+      description: >
+        Machine architecture of the ELF file.
+      type: keyword
+      level: extended
+      example: x86-64
+
+    - name: byte_order
+      description: >
+        Byte sequence of ELF file.
+      type: keyword
+      level: extended
+      example: Little Endian, Big Endian
+
+    - name: cpu_type
+      description: >
+        CPU type of the ELF file.
+      type: keyword
+      level: extended
+      example: Intel
+
+    - name: header.class
+      description: >
+        Header class of the ELF file.
+      type: keyword
+      level: extended
+
+    - name: header.data
+      description: >
+        Data table of the ELF header.
+      type: keyword
+      level: extended
+
+    - name: header.os_abi
+      description: >
+        Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+      level: extended
+
+    - name: header.type
+      description: >
+        Header type of the ELF file.
+      type: keyword
+      level: extended
+
+    - name: header.version
+      description: >
+        Version of the ELF header.
+      type: keyword
+      level: extended
+
+    - name: header.abi_version
+      type: keyword
+      level: extended
+      description: >
+        Version of the ELF Application Binary Interface (ABI).
+
+    - name: header.entrypoint
+      format: string
+      level: extended
+      type: long
+      description: >
+        Header entrypoint of the ELF file.
+
+    - name: header.object_version
+      type: keyword
+      level: extended
+      description: >
+        "0x1" for original ELF files.
+
+    - name: sections
+      description: >
+        Section information of the ELF file.
+      type: nested
+      level: extended
+
+    - name: sections.flags
+      description: >
+        ELF Section List flags.
+      type: keyword
+      level: extended
+
+    - name: sections.name
+      description: >
+        ELF Section List name.
+      type: keyword
+      level: extended
+
+    - name: sections.physical_offset
+      description: >
+        ELF Section List offset.
+      type: keyword
+      level: extended
+
+    - name: sections.type
+      description: >
+        ELF Section List type.
+      type: keyword
+      level: extended
+
+    - name: sections.physical_size
+      description: >
+        ELF Section List physical size.
+      format: bytes
+      type: long
+      level: extended
+
+    - name: sections.virtual_address
+      description: >
+        ELF Section List virtual address.
+      format: string
+      type: long
+      level: extended
+
+    - name: sections.virtual_size
+      description: >
+        ELF Section List virtual size.
+      format: string
+      type: long
+      level: extended
+
+    - name: sections.entropy
+      description: >
+        Shannon entropy calculation from the section.
+      format: number
+      type: long
+      level: extended
+
+    - name: sections.chi2
+      description: >
+        Chi-square probability distribution of the section.
+      format: number
+      type: long
+      level: extended
+
+    - name: exports
+      description: >
+        List of exported element names and types.
+      level: extended
+      type: flattened
+
+    - name: imports
+      description: >
+        List of imported element names and types.
+      type: flattened
+      level: extended
+
+    - name: shared_libraries
+      description: >
+        List of shared libraries used by this ELF object
+      type: keyword
+      level: extended
+      normalize:
+       - array
+
+    - name: telfhash
+      short: telfhash hash for ELF files
+      description: >
+        telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash.
+      type: keyword
+      level: extended
+
+    - name: segments
+      description: >
+        ELF object segment list.
+      type: nested
+      level: extended
+
+    - name: segments.type
+      description: ELF object segment type.
+      type: keyword
+      level: extended
+
+    - name: segments.sections
+      description: ELF object segment sections.
+      type: keyword
+      level: extended

From 31bbdd6daf98fe9cf516667141e7e5a73e0ab82b Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 18 Feb 2021 11:32:43 -0600
Subject: [PATCH 84/90] Cut 1.9 FF CHANGELOG.next.md (#1277)

---
 CHANGELOG.next.md | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 9aaa6af2ea..e7ab356556 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,9 +10,14 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
+#### Breaking changes
+
+#### Bugfixes
+
+#### Added
+
 #### Improvements
 
-* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
 ### Tooling and Artifact Changes
 
 #### Breaking changes
@@ -21,22 +26,33 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Added `http.request.id`. #1208
-* Added `cloud.service.name`. #1204
+#### Improvements
+
+#### Deprecated
+
+
+## 1.9.0 (Feature Freeze)
+
+### Schema Changes
+
+#### Added
+
 * Added `hash.ssdeep`. #1169
-* Added additional host fields. #1248
+* Added `cloud.service.name`. #1204
+* Added `http.request.id`. #1208
+* `data_stream.*` fieldset introduced in experimental schema and artifacts. #1215
 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
-* Extended `pe` fields added to experimental schema. #1256
+* Added `beta` host metrics fields. #1248
 * Added `code_signature.team_id`, `code_signature.signing_id`. #1249
-* Add `threat.indicator` fields to experimental schema. #1268
+* Extended `pe` fields added to experimental schema. #1256
 * Add `elf` fieldset to experimental schema. #1261
+* Add `threat.indicator` fields to experimental schema. #1268
 
 #### Improvements
 
 * Include formatting guidance and examples for MAC address fields. #456
-
-#### Deprecated
-
+* New section in ECS detailing event categorization fields usage. #1242
+* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
 
 <!-- All empty sections:
 

From 5df9b6bda5f7d399b3f2640b87f58cbe6c309ad4 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 4 Mar 2021 14:20:13 -0600
Subject: [PATCH 85/90] lock go version in actions (#1283) (#1290)

---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0e4a5703f9..f5aad7d831 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: '^1.13.1'
+          go-version: '1.15.x'
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'

From d8bcd1830f174ef9c03a323460a039707a03d355 Mon Sep 17 00:00:00 2001
From: Kylie Geller <kylie.geller@gmail.com>
Date: Fri, 26 Mar 2021 09:53:16 -0400
Subject: [PATCH 86/90] Bump jinja2 from 2.11.2 to 2.11.3 in /scripts (#1310)
 (#1320)

* Bump jinja2 from 2.11.2 to 2.11.3 in /scripts
---
 CHANGELOG.next.md        | 1 +
 scripts/requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index e7ab356556..431f41eb20 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -53,6 +53,7 @@ Thanks, you're awesome :-) -->
 * Include formatting guidance and examples for MAC address fields. #456
 * New section in ECS detailing event categorization fields usage. #1242
 * `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
+* Bump jinja2 from 2.11.2 to 2.11.3 #1310
 
 <!-- All empty sections:
 
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index a199139681..890c1e3cf4 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -4,4 +4,4 @@ autopep8==1.4.4
 yamllint==1.19.0
 mock==4.0.2
 gitpython==3.1.2
-Jinja2==2.11.2
+Jinja2==2.11.3

From 9a677e19fd631a7083cb33a53785cd4e403ad1cf Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Fri, 26 Mar 2021 15:45:40 -0500
Subject: [PATCH 87/90] Bump pyyaml from 5.3b1 to 5.4 in /scripts (#1318)
 (#1325)

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 CHANGELOG.next.md        | 2 +-
 scripts/requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 431f41eb20..c87744333e 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -53,7 +53,7 @@ Thanks, you're awesome :-) -->
 * Include formatting guidance and examples for MAC address fields. #456
 * New section in ECS detailing event categorization fields usage. #1242
 * `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
-* Bump jinja2 from 2.11.2 to 2.11.3 #1310
+* Update Python dependencies #1310, #1318
 
 <!-- All empty sections:
 
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 890c1e3cf4..0e97888fb1 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -1,5 +1,5 @@
 pip
-PyYAML==5.3b1
+PyYAML==5.4
 autopep8==1.4.4
 yamllint==1.19.0
 mock==4.0.2

From 56f6e31009e1357ef6c02b94d1a30f3278451593 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Mon, 29 Mar 2021 10:37:12 -0500
Subject: [PATCH 88/90] Adjust terminology - change whitelist to allowlist
 (#1315) (#1331)

Co-authored-by: Dominic Page <11043991+djptek@users.noreply.github.com>
---
 CHANGELOG.next.md                                |  6 ++++++
 scripts/generators/beats.py                      | 16 ++++++++--------
 ...st.yml => beats_default_fields_allowlist.yml} |  0
 3 files changed, 14 insertions(+), 8 deletions(-)
 rename scripts/generators/{beats_default_fields_whitelist.yml => beats_default_fields_allowlist.yml} (100%)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index c87744333e..77e8540dbc 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -55,6 +55,12 @@ Thanks, you're awesome :-) -->
 * `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
 * Update Python dependencies #1310, #1318
 
+### Tooling and Artifact Changes
+
+#### Improvements
+
+* Adjustments to use terminology that doesn't have negative connotation. #1315
+
 <!-- All empty sections:
 
 ## Unreleased
diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py
index fa8904c058..6f70921f67 100644
--- a/scripts/generators/beats.py
+++ b/scripts/generators/beats.py
@@ -4,11 +4,11 @@
 
 
 def generate(ecs_nested, ecs_version, out_dir):
-    # Load temporary whitelist for default_fields workaround.
-    df_whitelist = ecs_helpers.yaml_load('scripts/generators/beats_default_fields_whitelist.yml')
+    # Load temporary allowlist for default_fields workaround.
+    df_allowlist = ecs_helpers.yaml_load('scripts/generators/beats_default_fields_allowlist.yml')
 
     # base first
-    beats_fields = fieldset_field_array(ecs_nested['base']['fields'], df_whitelist, ecs_nested['base']['prefix'])
+    beats_fields = fieldset_field_array(ecs_nested['base']['fields'], df_allowlist, ecs_nested['base']['prefix'])
 
     allowed_fieldset_keys = ['name', 'title', 'group', 'description', 'footnote', 'type']
     # other fieldsets
@@ -19,11 +19,11 @@ def generate(ecs_nested, ecs_version, out_dir):
 
         # Handle when `root:true`
         if fieldset.get('root', False):
-            beats_fields.extend(fieldset_field_array(fieldset['fields'], df_whitelist, fieldset['prefix']))
+            beats_fields.extend(fieldset_field_array(fieldset['fields'], df_allowlist, fieldset['prefix']))
             continue
 
         beats_field = ecs_helpers.dict_copy_keys_ordered(fieldset, allowed_fieldset_keys)
-        beats_field['fields'] = fieldset_field_array(fieldset['fields'], df_whitelist, fieldset['prefix'])
+        beats_field['fields'] = fieldset_field_array(fieldset['fields'], df_allowlist, fieldset['prefix'])
         beats_fields.append(beats_field)
 
     beats_file = OrderedDict()
@@ -35,7 +35,7 @@ def generate(ecs_nested, ecs_version, out_dir):
     write_beats_yaml(beats_file, ecs_version, out_dir)
 
 
-def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix):
+def fieldset_field_array(source_fields, df_allowlist, fieldset_prefix):
     allowed_keys = ['name', 'level', 'required', 'type', 'object_type',
                     'ignore_above', 'multi_fields', 'format', 'input_format',
                     'output_format', 'output_precision', 'description',
@@ -56,7 +56,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix):
             for mf in ecs_field['multi_fields']:
                 # Set default_field if necessary. Avoid adding the key if the parent
                 # field already is marked with default_field: false.
-                if not mf['flat_name'] in df_whitelist and ecs_field['flat_name'] in df_whitelist:
+                if not mf['flat_name'] in df_allowlist and ecs_field['flat_name'] in df_allowlist:
                     mf['default_field'] = False
                 cleaned_multi_fields.append(
                     ecs_helpers.dict_copy_keys_ordered(mf, multi_fields_allowed_keys))
@@ -64,7 +64,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix):
 
         beats_field['name'] = contextual_name
 
-        if not ecs_field['flat_name'] in df_whitelist:
+        if not ecs_field['flat_name'] in df_allowlist:
             beats_field['default_field'] = False
 
         fields.append(beats_field)
diff --git a/scripts/generators/beats_default_fields_whitelist.yml b/scripts/generators/beats_default_fields_allowlist.yml
similarity index 100%
rename from scripts/generators/beats_default_fields_whitelist.yml
rename to scripts/generators/beats_default_fields_allowlist.yml

From 5bbed42df59fb2fe3a015c4e67ca0eb54c3cb30c Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 30 Mar 2021 09:50:27 -0500
Subject: [PATCH 89/90] Remove -dev label from 1.9 version (#1329)

* remove -dev label from 1.9 version

* generate artifacts

* removing rules artifacts
---
 code/go/ecs/version.go                        |    2 +-
 docs/fields.asciidoc                          |    2 +-
 docs/index.asciidoc                           |    2 +-
 experimental/code/go/ecs/agent.go             |   26 +
 experimental/code/go/ecs/as.go                |   26 +
 experimental/code/go/ecs/client.go            |   29 +
 experimental/code/go/ecs/data_stream.go       |   66 +
 experimental/code/go/ecs/destination.go       |   29 +
 experimental/code/go/ecs/dns.go               |   32 +
 experimental/code/go/ecs/elf.go               |  120 +
 experimental/code/go/ecs/error.go             |   29 +
 experimental/code/go/ecs/file.go              |   32 +
 experimental/code/go/ecs/geo.go               |   26 +
 experimental/code/go/ecs/hash.go              |   23 +
 experimental/code/go/ecs/host.go              |   26 +
 experimental/code/go/ecs/http.go              |   32 +
 experimental/code/go/ecs/log.go               |   29 +
 experimental/code/go/ecs/orchestrator.go      |   52 +
 experimental/code/go/ecs/organization.go      |   26 +
 experimental/code/go/ecs/os.go                |   29 +
 experimental/code/go/ecs/pe.go                |  135 +
 experimental/code/go/ecs/process.go           |   41 +
 experimental/code/go/ecs/registry.go          |   32 +
 experimental/code/go/ecs/server.go            |   29 +
 experimental/code/go/ecs/source.go            |   29 +
 experimental/code/go/ecs/threat.go            |  119 +
 experimental/code/go/ecs/tls.go               |   35 +
 experimental/code/go/ecs/url.go               |   38 +
 experimental/code/go/ecs/user.go              |   32 +
 experimental/code/go/ecs/user_agent.go        |   26 +
 experimental/code/go/ecs/version.go           |   23 +
 experimental/code/go/ecs/x509.go              |   29 +
 experimental/generated/beats/fields.ecs.yml   |    2 +-
 experimental/generated/csv/fields.csv         | 2176 ++++++++---------
 .../generated/elasticsearch/7/template.json   |    2 +-
 .../elasticsearch/component/agent.json        |    2 +-
 .../elasticsearch/component/base.json         |    2 +-
 .../elasticsearch/component/client.json       |    2 +-
 .../elasticsearch/component/cloud.json        |    2 +-
 .../elasticsearch/component/container.json    |    2 +-
 .../elasticsearch/component/data_stream.json  |    2 +-
 .../elasticsearch/component/destination.json  |    2 +-
 .../elasticsearch/component/dll.json          |    2 +-
 .../elasticsearch/component/dns.json          |    2 +-
 .../elasticsearch/component/ecs.json          |    2 +-
 .../elasticsearch/component/error.json        |    2 +-
 .../elasticsearch/component/event.json        |    2 +-
 .../elasticsearch/component/file.json         |    2 +-
 .../elasticsearch/component/group.json        |    2 +-
 .../elasticsearch/component/host.json         |    2 +-
 .../elasticsearch/component/http.json         |    2 +-
 .../elasticsearch/component/log.json          |    2 +-
 .../elasticsearch/component/network.json      |    2 +-
 .../elasticsearch/component/observer.json     |    2 +-
 .../elasticsearch/component/organization.json |    2 +-
 .../elasticsearch/component/package.json      |    2 +-
 .../elasticsearch/component/process.json      |    2 +-
 .../elasticsearch/component/registry.json     |    2 +-
 .../elasticsearch/component/related.json      |    2 +-
 .../elasticsearch/component/rule.json         |    2 +-
 .../elasticsearch/component/server.json       |    2 +-
 .../elasticsearch/component/service.json      |    2 +-
 .../elasticsearch/component/source.json       |    2 +-
 .../elasticsearch/component/threat.json       |    2 +-
 .../elasticsearch/component/tls.json          |    2 +-
 .../elasticsearch/component/tracing.json      |    2 +-
 .../elasticsearch/component/url.json          |    2 +-
 .../elasticsearch/component/user.json         |    2 +-
 .../elasticsearch/component/user_agent.json   |    2 +-
 .../component/vulnerability.json              |    2 +-
 .../generated/elasticsearch/template.json     |   72 +-
 generated/beats/fields.ecs.yml                |    2 +-
 generated/csv/fields.csv                      | 1524 ++++++------
 generated/elasticsearch/6/template.json       |    2 +-
 generated/elasticsearch/7/template.json       |    2 +-
 generated/elasticsearch/component/agent.json  |    2 +-
 generated/elasticsearch/component/base.json   |    2 +-
 generated/elasticsearch/component/client.json |    2 +-
 generated/elasticsearch/component/cloud.json  |    2 +-
 .../elasticsearch/component/container.json    |    2 +-
 .../elasticsearch/component/destination.json  |    2 +-
 generated/elasticsearch/component/dll.json    |    2 +-
 generated/elasticsearch/component/dns.json    |    2 +-
 generated/elasticsearch/component/ecs.json    |    2 +-
 generated/elasticsearch/component/error.json  |    2 +-
 generated/elasticsearch/component/event.json  |    2 +-
 generated/elasticsearch/component/file.json   |    2 +-
 generated/elasticsearch/component/group.json  |    2 +-
 generated/elasticsearch/component/host.json   |    2 +-
 generated/elasticsearch/component/http.json   |    2 +-
 generated/elasticsearch/component/log.json    |    2 +-
 .../elasticsearch/component/network.json      |    2 +-
 .../elasticsearch/component/observer.json     |    2 +-
 .../elasticsearch/component/organization.json |    2 +-
 .../elasticsearch/component/package.json      |    2 +-
 .../elasticsearch/component/process.json      |    2 +-
 .../elasticsearch/component/registry.json     |    2 +-
 .../elasticsearch/component/related.json      |    2 +-
 generated/elasticsearch/component/rule.json   |    2 +-
 generated/elasticsearch/component/server.json |    2 +-
 .../elasticsearch/component/service.json      |    2 +-
 generated/elasticsearch/component/source.json |    2 +-
 generated/elasticsearch/component/threat.json |    2 +-
 generated/elasticsearch/component/tls.json    |    2 +-
 .../elasticsearch/component/tracing.json      |    2 +-
 generated/elasticsearch/component/url.json    |    2 +-
 generated/elasticsearch/component/user.json   |    2 +-
 .../elasticsearch/component/user_agent.json   |    2 +-
 .../component/vulnerability.json              |    2 +-
 generated/elasticsearch/template.json         |   70 +-
 version                                       |    2 +-
 111 files changed, 3199 insertions(+), 1999 deletions(-)
 create mode 100644 experimental/code/go/ecs/agent.go
 create mode 100644 experimental/code/go/ecs/as.go
 create mode 100644 experimental/code/go/ecs/client.go
 create mode 100644 experimental/code/go/ecs/data_stream.go
 create mode 100644 experimental/code/go/ecs/destination.go
 create mode 100644 experimental/code/go/ecs/dns.go
 create mode 100644 experimental/code/go/ecs/elf.go
 create mode 100644 experimental/code/go/ecs/error.go
 create mode 100644 experimental/code/go/ecs/file.go
 create mode 100644 experimental/code/go/ecs/geo.go
 create mode 100644 experimental/code/go/ecs/hash.go
 create mode 100644 experimental/code/go/ecs/host.go
 create mode 100644 experimental/code/go/ecs/http.go
 create mode 100644 experimental/code/go/ecs/log.go
 create mode 100644 experimental/code/go/ecs/orchestrator.go
 create mode 100644 experimental/code/go/ecs/organization.go
 create mode 100644 experimental/code/go/ecs/os.go
 create mode 100644 experimental/code/go/ecs/pe.go
 create mode 100644 experimental/code/go/ecs/process.go
 create mode 100644 experimental/code/go/ecs/registry.go
 create mode 100644 experimental/code/go/ecs/server.go
 create mode 100644 experimental/code/go/ecs/source.go
 create mode 100644 experimental/code/go/ecs/threat.go
 create mode 100644 experimental/code/go/ecs/tls.go
 create mode 100644 experimental/code/go/ecs/url.go
 create mode 100644 experimental/code/go/ecs/user.go
 create mode 100644 experimental/code/go/ecs/user_agent.go
 create mode 100644 experimental/code/go/ecs/version.go
 create mode 100644 experimental/code/go/ecs/x509.go

diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go
index 6aba04736b..ded6dab3b7 100644
--- a/code/go/ecs/version.go
+++ b/code/go/ecs/version.go
@@ -20,4 +20,4 @@
 package ecs
 
 // Version is the Elastic Common Schema version from which this was generated.
-const Version = "1.9.0-dev"
+const Version = "1.9.0"
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
index 3d6f8fa662..4ab5aa1cab 100644
--- a/docs/fields.asciidoc
+++ b/docs/fields.asciidoc
@@ -2,7 +2,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 1.9.0-dev.
+This is the documentation of ECS version 1.9.0.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 58a21f5124..74f47b333a 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -10,7 +10,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 1.9.0-dev.
+This is the documentation of ECS version 1.9.0.
 
 [float]
 === What is ECS?
diff --git a/experimental/code/go/ecs/agent.go b/experimental/code/go/ecs/agent.go
new file mode 100644
index 0000000000..6c0462df4f
--- /dev/null
+++ b/experimental/code/go/ecs/agent.go
@@ -0,0 +1,26 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Agent struct {
+	//
+	BuildOriginal string `ecs:"build.original"`
+}
diff --git a/experimental/code/go/ecs/as.go b/experimental/code/go/ecs/as.go
new file mode 100644
index 0000000000..fa4fa9d9f3
--- /dev/null
+++ b/experimental/code/go/ecs/as.go
@@ -0,0 +1,26 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type AS struct {
+	//
+	OrganizationName string `ecs:"organization.name"`
+}
diff --git a/experimental/code/go/ecs/client.go b/experimental/code/go/ecs/client.go
new file mode 100644
index 0000000000..1b1db2e853
--- /dev/null
+++ b/experimental/code/go/ecs/client.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Client struct {
+	//
+	Domain string `ecs:"domain"`
+
+	//
+	RegisteredDomain string `ecs:"registered_domain"`
+}
diff --git a/experimental/code/go/ecs/data_stream.go b/experimental/code/go/ecs/data_stream.go
new file mode 100644
index 0000000000..251a97211a
--- /dev/null
+++ b/experimental/code/go/ecs/data_stream.go
@@ -0,0 +1,66 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+// The data_stream fields take part in defining the new data stream naming
+// scheme.
+// In the new data stream naming scheme the value of the data stream fields
+// combine to the name of the actual data stream in the following manner
+// `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This
+// means the fields can only contain characters that are valid as part of names
+// of data streams. More details about this can be found in this
+// https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
+// post].
+// An Elasticsearch data stream consists of one or more backing indices, and a
+// data stream name forms part of the backing indices names. Due to this
+// convention, data streams must also follow index naming restrictions. For
+// example, data stream names cannot include \, /, *, ?, ", <, >, |, ` `.
+// Please see the Elasticsearch reference for additional
+// https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].
+type DataStream struct {
+	// An overarching type for the data stream.
+	// Currently allowed values are "logs" and "metrics". We expect to also add
+	// "traces" and "synthetics" in the near future.
+	Type string `ecs:"type"`
+
+	// The field can contain anything that makes sense to signify the source of
+	// the data.
+	// Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data
+	// streams that otherwise fit, but that do not have dataset set we use the
+	// value "generic" for the dataset value. `event.dataset` should have the
+	// same value as `data_stream.dataset`.
+	// Beyond the Elasticsearch data stream naming criteria noted above, the
+	// `dataset` value has additional restrictions:
+	//   * Must not contain `-`
+	//   * No longer than 100 characters
+	Dataset string `ecs:"dataset"`
+
+	// A user defined namespace. Namespaces are useful to allow grouping of
+	// data.
+	// Many users already organize their indices this way, and the data stream
+	// naming scheme now provides this best practice as a default. Many users
+	// will populate this field with `default`. If no value is used, it falls
+	// back to `default`.
+	// Beyond the Elasticsearch index naming criteria noted above, `namespace`
+	// value has the additional restrictions:
+	//   * Must not contain `-`
+	//   * No longer than 100 characters
+	Namespace string `ecs:"namespace"`
+}
diff --git a/experimental/code/go/ecs/destination.go b/experimental/code/go/ecs/destination.go
new file mode 100644
index 0000000000..d06a48b1c1
--- /dev/null
+++ b/experimental/code/go/ecs/destination.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Destination struct {
+	//
+	Domain string `ecs:"domain"`
+
+	//
+	RegisteredDomain string `ecs:"registered_domain"`
+}
diff --git a/experimental/code/go/ecs/dns.go b/experimental/code/go/ecs/dns.go
new file mode 100644
index 0000000000..4d32dfc917
--- /dev/null
+++ b/experimental/code/go/ecs/dns.go
@@ -0,0 +1,32 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Dns struct {
+	//
+	QuestionName string `ecs:"question.name"`
+
+	//
+	Answers map[string]interface{} `ecs:"answers"`
+
+	//
+	AnswersData string `ecs:"answers.data"`
+}
diff --git a/experimental/code/go/ecs/elf.go b/experimental/code/go/ecs/elf.go
new file mode 100644
index 0000000000..94fc4d84a7
--- /dev/null
+++ b/experimental/code/go/ecs/elf.go
@@ -0,0 +1,120 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+import (
+	"time"
+)
+
+// These fields contain Linux Executable Linkable Format (ELF) metadata.
+type Elf struct {
+	// Extracted when possible from the file's metadata. Indicates when it was
+	// built or compiled. It can also be faked by malware creators.
+	CreationDate time.Time `ecs:"creation_date"`
+
+	// Machine architecture of the ELF file.
+	Architecture string `ecs:"architecture"`
+
+	// Byte sequence of ELF file.
+	ByteOrder string `ecs:"byte_order"`
+
+	// CPU type of the ELF file.
+	CpuType string `ecs:"cpu_type"`
+
+	// Header class of the ELF file.
+	HeaderClass string `ecs:"header.class"`
+
+	// Data table of the ELF header.
+	HeaderData string `ecs:"header.data"`
+
+	// Application Binary Interface (ABI) of the Linux OS.
+	HeaderOsAbi string `ecs:"header.os_abi"`
+
+	// Header type of the ELF file.
+	HeaderType string `ecs:"header.type"`
+
+	// Version of the ELF header.
+	HeaderVersion string `ecs:"header.version"`
+
+	// Version of the ELF Application Binary Interface (ABI).
+	HeaderAbiVersion string `ecs:"header.abi_version"`
+
+	// Header entrypoint of the ELF file.
+	HeaderEntrypoint int64 `ecs:"header.entrypoint"`
+
+	// "0x1" for original ELF files.
+	HeaderObjectVersion string `ecs:"header.object_version"`
+
+	// Section information of the ELF file.
+	Sections []Sections `ecs:""`
+
+	// List of exported element names and types.
+	Exports string `ecs:"exports"`
+
+	// List of imported element names and types.
+	Imports string `ecs:"imports"`
+
+	// List of shared libraries used by this ELF object
+	SharedLibraries string `ecs:"shared_libraries"`
+
+	// telfhash is symbol hash for ELF files, just like imphash is imports hash
+	// for PE files. Learn more at https://github.com/trendmicro/telfhash.
+	Telfhash string `ecs:"telfhash"`
+
+	// ELF object segment list.
+	Segments []Segments `ecs:""`
+}
+
+type Sections struct {
+	// ELF Section List flags.
+	Flags string `ecs:"flags"`
+
+	// ELF Section List name.
+	Name string `ecs:"name"`
+
+	// ELF Section List offset.
+	PhysicalOffset string `ecs:"physical_offset"`
+
+	// ELF Section List type.
+	Type string `ecs:"type"`
+
+	// ELF Section List physical size.
+	PhysicalSize int64 `ecs:"physical_size"`
+
+	// ELF Section List virtual address.
+	VirtualAddress int64 `ecs:"virtual_address"`
+
+	// ELF Section List virtual size.
+	VirtualSize int64 `ecs:"virtual_size"`
+
+	// Shannon entropy calculation from the section.
+	Entropy int64 `ecs:"entropy"`
+
+	// Chi-square probability distribution of the section.
+	Chi2 int64 `ecs:"chi2"`
+}
+
+type Segments struct {
+	// ELF object segment type.
+	Type string `ecs:"type"`
+
+	// ELF object segment sections.
+	Sections string `ecs:"sections"`
+}
diff --git a/experimental/code/go/ecs/error.go b/experimental/code/go/ecs/error.go
new file mode 100644
index 0000000000..7c6c52331c
--- /dev/null
+++ b/experimental/code/go/ecs/error.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Error struct {
+	//
+	StackTrace string `ecs:"stack_trace"`
+
+	//
+	Type string `ecs:"type"`
+}
diff --git a/experimental/code/go/ecs/file.go b/experimental/code/go/ecs/file.go
new file mode 100644
index 0000000000..81ab00a4cd
--- /dev/null
+++ b/experimental/code/go/ecs/file.go
@@ -0,0 +1,32 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type File struct {
+	//
+	Directory string `ecs:"directory"`
+
+	//
+	Path string `ecs:"path"`
+
+	//
+	TargetPath string `ecs:"target_path"`
+}
diff --git a/experimental/code/go/ecs/geo.go b/experimental/code/go/ecs/geo.go
new file mode 100644
index 0000000000..33c7857a04
--- /dev/null
+++ b/experimental/code/go/ecs/geo.go
@@ -0,0 +1,26 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Geo struct {
+	//
+	Name string `ecs:"name"`
+}
diff --git a/experimental/code/go/ecs/hash.go b/experimental/code/go/ecs/hash.go
new file mode 100644
index 0000000000..2e3578df8a
--- /dev/null
+++ b/experimental/code/go/ecs/hash.go
@@ -0,0 +1,23 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Hash struct{}
diff --git a/experimental/code/go/ecs/host.go b/experimental/code/go/ecs/host.go
new file mode 100644
index 0000000000..225e00c7f6
--- /dev/null
+++ b/experimental/code/go/ecs/host.go
@@ -0,0 +1,26 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Host struct {
+	//
+	Hostname string `ecs:"hostname"`
+}
diff --git a/experimental/code/go/ecs/http.go b/experimental/code/go/ecs/http.go
new file mode 100644
index 0000000000..413c4f0105
--- /dev/null
+++ b/experimental/code/go/ecs/http.go
@@ -0,0 +1,32 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Http struct {
+	//
+	RequestBodyContent string `ecs:"request.body.content"`
+
+	//
+	RequestReferrer string `ecs:"request.referrer"`
+
+	//
+	ResponseBodyContent string `ecs:"response.body.content"`
+}
diff --git a/experimental/code/go/ecs/log.go b/experimental/code/go/ecs/log.go
new file mode 100644
index 0000000000..f6b92072bb
--- /dev/null
+++ b/experimental/code/go/ecs/log.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Log struct {
+	//
+	FilePath string `ecs:"file.path"`
+
+	//
+	Logger string `ecs:"logger"`
+}
diff --git a/experimental/code/go/ecs/orchestrator.go b/experimental/code/go/ecs/orchestrator.go
new file mode 100644
index 0000000000..889a66dc38
--- /dev/null
+++ b/experimental/code/go/ecs/orchestrator.go
@@ -0,0 +1,52 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+// Fields that describe the resources which container orchestrators manage or
+// act upon.
+type Orchestrator struct {
+	// Name of the cluster.
+	ClusterName string `ecs:"cluster.name"`
+
+	// URL of the API used to manage the cluster.
+	ClusterUrl string `ecs:"cluster.url"`
+
+	// The version of the cluster.
+	ClusterVersion string `ecs:"cluster.version"`
+
+	// Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+	Type string `ecs:"type"`
+
+	// Organization affected by the event (for multi-tenant orchestrator
+	// setups).
+	Organization string `ecs:"organization"`
+
+	// Namespace in which the action is taking place.
+	Namespace string `ecs:"namespace"`
+
+	// Name of the resource being acted upon.
+	ResourceName string `ecs:"resource.name"`
+
+	// Type of resource being acted upon.
+	ResourceType string `ecs:"resource.type"`
+
+	// API version being used to carry out the action
+	ApiVersion string `ecs:"api_version"`
+}
diff --git a/experimental/code/go/ecs/organization.go b/experimental/code/go/ecs/organization.go
new file mode 100644
index 0000000000..3ba070b8d5
--- /dev/null
+++ b/experimental/code/go/ecs/organization.go
@@ -0,0 +1,26 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Organization struct {
+	//
+	Name string `ecs:"name"`
+}
diff --git a/experimental/code/go/ecs/os.go b/experimental/code/go/ecs/os.go
new file mode 100644
index 0000000000..88e6b5d82b
--- /dev/null
+++ b/experimental/code/go/ecs/os.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Os struct {
+	//
+	Name string `ecs:"name"`
+
+	//
+	Full string `ecs:"full"`
+}
diff --git a/experimental/code/go/ecs/pe.go b/experimental/code/go/ecs/pe.go
new file mode 100644
index 0000000000..c3712eb022
--- /dev/null
+++ b/experimental/code/go/ecs/pe.go
@@ -0,0 +1,135 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+import (
+	"time"
+)
+
+//
+type Pe struct {
+	//
+	OriginalFileName string `ecs:"original_file_name"`
+
+	// Difference Hash (dhash) to find files with a visually similar icon or
+	// thumbnail.
+	IconHashDhash string `ecs:"icon.hash.dhash"`
+
+	// An array containing an object for each debug entry, if present.
+	// The expected fields for this nested object fall under the `debug.`
+	// prefix.
+	Debug []Debug `ecs:""`
+
+	// List of all imported functions
+	Imports string `ecs:"imports"`
+
+	// Data about sections of compiled binary PE
+	Sections []Sections `ecs:""`
+
+	// An array containing an object for each PE resource, if present.
+	// The expected fields for this nested object fall under the `resources.`
+	// prefix.
+	Resources []Resources `ecs:""`
+
+	// List of symbols exported by PE
+	Exports string `ecs:"exports"`
+
+	// Extracted when possible from the file's metadata. Indicates when it was
+	// built or compiled. It can also be faked by malware creators.
+	CreationDate time.Time `ecs:"creation_date"`
+
+	// Authentihash of the PE file.
+	Authentihash string `ecs:"authentihash"`
+
+	// Compile timestamp of the PE file.
+	CompileTimestamp time.Time `ecs:"compile_timestamp"`
+
+	// Name of the compiler
+	CompilerName string `ecs:"compiler.name"`
+
+	// Version of the compiler.
+	CompilerVersion string `ecs:"compiler.version"`
+
+	// MD5 hash of the header for the PE file.
+	RichHeaderHashMd5 string `ecs:"rich_header.hash.md5"`
+
+	// Relative byte offset to the base of the PE file.
+	EntryPoint string `ecs:"entry_point"`
+
+	// Machine type of the PE file.
+	MachineType string `ecs:"machine_type"`
+
+	// List of packers and tools used.
+	Packers string `ecs:"packers"`
+}
+
+type Debug struct {
+	// Debug offset information.
+	Offset string `ecs:"offset"`
+
+	// Size of the debug information.
+	Size int64 `ecs:"size"`
+
+	// Information type generated by the debug options.
+	Type string `ecs:"type"`
+
+	// Timestamp of the debug information.
+	Timestamp time.Time `ecs:"timestamp"`
+}
+
+type Resources struct {
+	// Chi-square probability distribution.
+	Chi2 int64 `ecs:"chi2"`
+
+	// File type of the resources section.
+	Filetype string `ecs:"filetype"`
+
+	// Measurement of entropy randomness in the resources section.
+	Entropy int64 `ecs:"entropy"`
+
+	// SHA256 hash of resources section.
+	Sha256 string `ecs:"sha256"`
+
+	// Language identification.
+	Language string `ecs:"language"`
+
+	// Digest of resource types.
+	Type string `ecs:"type"`
+}
+
+type Sections struct {
+	// Chi-square probability distribution.
+	Chi2 int64 `ecs:"chi2"`
+
+	// Virtual address available to the file.
+	VirtualAddress int64 `ecs:"virtual_address"`
+
+	// Measurement of entropy randomness in the file.
+	Entropy float64 `ecs:"entropy"`
+
+	// Section flags of the file.
+	Flags string `ecs:"flags"`
+
+	// Section names of the file.
+	Name string `ecs:"name"`
+
+	// Size of the section or the dize of the initialized data on disk.
+	RawSize int64 `ecs:"raw_size"`
+}
diff --git a/experimental/code/go/ecs/process.go b/experimental/code/go/ecs/process.go
new file mode 100644
index 0000000000..45a5b7d050
--- /dev/null
+++ b/experimental/code/go/ecs/process.go
@@ -0,0 +1,41 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Process struct {
+	//
+	CommandLine string `ecs:"command_line"`
+
+	//
+	Executable string `ecs:"executable"`
+
+	//
+	Name string `ecs:"name"`
+
+	//
+	ThreadName string `ecs:"thread.name"`
+
+	//
+	Title string `ecs:"title"`
+
+	//
+	WorkingDirectory string `ecs:"working_directory"`
+}
diff --git a/experimental/code/go/ecs/registry.go b/experimental/code/go/ecs/registry.go
new file mode 100644
index 0000000000..6d1b367841
--- /dev/null
+++ b/experimental/code/go/ecs/registry.go
@@ -0,0 +1,32 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Registry struct {
+	//
+	Key string `ecs:"key"`
+
+	//
+	Path string `ecs:"path"`
+
+	//
+	DataStrings string `ecs:"data.strings"`
+}
diff --git a/experimental/code/go/ecs/server.go b/experimental/code/go/ecs/server.go
new file mode 100644
index 0000000000..c32bfd34d7
--- /dev/null
+++ b/experimental/code/go/ecs/server.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Server struct {
+	//
+	Domain string `ecs:"domain"`
+
+	//
+	RegisteredDomain string `ecs:"registered_domain"`
+}
diff --git a/experimental/code/go/ecs/source.go b/experimental/code/go/ecs/source.go
new file mode 100644
index 0000000000..8aeb281f59
--- /dev/null
+++ b/experimental/code/go/ecs/source.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Source struct {
+	//
+	Domain string `ecs:"domain"`
+
+	//
+	RegisteredDomain string `ecs:"registered_domain"`
+}
diff --git a/experimental/code/go/ecs/threat.go b/experimental/code/go/ecs/threat.go
new file mode 100644
index 0000000000..3ac4f92a5b
--- /dev/null
+++ b/experimental/code/go/ecs/threat.go
@@ -0,0 +1,119 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+import (
+	"time"
+)
+
+//
+type Threat struct {
+	// The date and time when intelligence source first reported sighting this
+	// indicator.
+	IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"`
+
+	// The date and time when intelligence source last reported sighting this
+	// indicator.
+	IndicatorLastSeen time.Time `ecs:"indicator.last_seen"`
+
+	// Number of times this indicator was observed conducting threat activity.
+	IndicatorSightings int64 `ecs:"indicator.sightings"`
+
+	// Type of indicator as represented by Cyber Observable in STIX 2.0.
+	// Expected values
+	//   * autonomous-system
+	//   * artifact
+	//   * directory
+	//   * domain-name
+	//   * email-addr
+	//   * file
+	//   * ipv4-addr
+	//   * ipv6-addr
+	//   * mac-addr
+	//   * mutex
+	//   * process
+	//   * software
+	//   * url
+	//   * user-account
+	//   * windows-registry-key
+	//   * x-509-certificate
+	IndicatorType string `ecs:"indicator.type"`
+
+	// Describes the type of action conducted by the threat.
+	IndicatorDescription string `ecs:"indicator.description"`
+
+	// Count of AV/EDR vendors that successfully detected malicious file or
+	// URL.
+	IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"`
+
+	// Identifies the name of the intelligence provider.
+	IndicatorProvider string `ecs:"indicator.provider"`
+
+	// Identifies the confidence rating assigned by the provider using STIX
+	// confidence scales.
+	// Expected values:
+	//   * Not Specified, None, Low, Medium, High
+	//   * 0-10
+	//   * Admirality Scale (1-6)
+	//   * DNI Scale (5-95)
+	//   * WEP Scale (Impossible - Certain)
+	IndicatorConfidence string `ecs:"indicator.confidence"`
+
+	// Identifies the name of specific module this data is coming from.
+	IndicatorModule string `ecs:"indicator.module"`
+
+	// Identifies the name of specific dataset from the intelligence source.
+	IndicatorDataset string `ecs:"indicator.dataset"`
+
+	// Identifies a threat indicator as an IP address (irrespective of
+	// direction).
+	IndicatorIP string `ecs:"indicator.ip"`
+
+	// Identifies a threat indicator as a domain (irrespective of direction).
+	IndicatorDomain string `ecs:"indicator.domain"`
+
+	// Identifies a threat indicator as a port number (irrespective of
+	// direction).
+	IndicatorPort int64 `ecs:"indicator.port"`
+
+	// Identifies a threat indicator as an email address (irrespective of
+	// direction).
+	IndicatorEmailAddress string `ecs:"indicator.email.address"`
+
+	// Traffic Light Protocol sharing markings.
+	// Expected values are:
+	//   * White
+	//   * Green
+	//   * Amber
+	//   * Red
+	IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"`
+
+	// Identifies the atomic indicator that matched a local environment
+	// endpoint or network event.
+	IndicatorMatchedAtomic string `ecs:"indicator.matched.atomic"`
+
+	// Identifies the field of the atomic indicator that matched a local
+	// environment endpoint or network event.
+	IndicatorMatchedField string `ecs:"indicator.matched.field"`
+
+	// Identifies the type of the atomic indicator that matched a local
+	// environment endpoint or network event.
+	IndicatorMatchedType string `ecs:"indicator.matched.type"`
+}
diff --git a/experimental/code/go/ecs/tls.go b/experimental/code/go/ecs/tls.go
new file mode 100644
index 0000000000..da74901a82
--- /dev/null
+++ b/experimental/code/go/ecs/tls.go
@@ -0,0 +1,35 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Tls struct {
+	//
+	ClientIssuer string `ecs:"client.issuer"`
+
+	//
+	ClientSubject string `ecs:"client.subject"`
+
+	//
+	ServerIssuer string `ecs:"server.issuer"`
+
+	//
+	ServerSubject string `ecs:"server.subject"`
+}
diff --git a/experimental/code/go/ecs/url.go b/experimental/code/go/ecs/url.go
new file mode 100644
index 0000000000..ae7cd6c1c4
--- /dev/null
+++ b/experimental/code/go/ecs/url.go
@@ -0,0 +1,38 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type Url struct {
+	//
+	Original string `ecs:"original"`
+
+	//
+	Full string `ecs:"full"`
+
+	//
+	Path string `ecs:"path"`
+
+	//
+	Domain string `ecs:"domain"`
+
+	//
+	RegisteredDomain string `ecs:"registered_domain"`
+}
diff --git a/experimental/code/go/ecs/user.go b/experimental/code/go/ecs/user.go
new file mode 100644
index 0000000000..86aa0bfe27
--- /dev/null
+++ b/experimental/code/go/ecs/user.go
@@ -0,0 +1,32 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type User struct {
+	//
+	Name string `ecs:"name"`
+
+	//
+	FullName string `ecs:"full_name"`
+
+	//
+	Email string `ecs:"email"`
+}
diff --git a/experimental/code/go/ecs/user_agent.go b/experimental/code/go/ecs/user_agent.go
new file mode 100644
index 0000000000..d63aa806ec
--- /dev/null
+++ b/experimental/code/go/ecs/user_agent.go
@@ -0,0 +1,26 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type UserAgent struct {
+	//
+	Original string `ecs:"original"`
+}
diff --git a/experimental/code/go/ecs/version.go b/experimental/code/go/ecs/version.go
new file mode 100644
index 0000000000..0aa8cb0f52
--- /dev/null
+++ b/experimental/code/go/ecs/version.go
@@ -0,0 +1,23 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+// Version is the Elastic Common Schema version from which this was generated.
+const Version = "2.0.0-dev"
diff --git a/experimental/code/go/ecs/x509.go b/experimental/code/go/ecs/x509.go
new file mode 100644
index 0000000000..4d13fa35d4
--- /dev/null
+++ b/experimental/code/go/ecs/x509.go
@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+//
+type X509 struct {
+	//
+	IssuerDistinguishedName string `ecs:"issuer.distinguished_name"`
+
+	//
+	SubjectDistinguishedName string `ecs:"subject.distinguished_name"`
+}
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 13bd5d57ab..46bc450dbe 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.9.0-dev+exp.
+# based on ECS version 1.9.0+exp.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 4a34177817..aee4d11877 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1,1089 +1,1089 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.9.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.9.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.9.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.9.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.9.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.9.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.9.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.9.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.9.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.9.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.9.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address.
-1.9.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.9.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain.
-1.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client.
-1.9.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port
-1.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.9.0-dev+exp,true,client,client.port,long,core,,,Port of the client.
-1.9.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.9.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.9.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.9.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.9.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.9.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.9.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.9.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.9.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-1.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id.
-1.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels.
-1.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
-1.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.9.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-1.9.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-1.9.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-1.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.9.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain.
-1.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.9.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination.
-1.9.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.9.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-1.9.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-1.9.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-1.9.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-1.9.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information
-1.9.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-1.9.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information.
-1.9.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-1.9.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-1.9.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-1.9.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information
-1.9.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-1.9.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-1.9.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-1.9.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-1.9.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-1.9.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-1.9.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-1.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-1.9.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-1.9.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-1.9.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-1.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-1.9.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-1.9.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
-1.9.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.9.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.9.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.9.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.9.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.9.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.9.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.9.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
-1.9.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.9.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.9.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.9.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.9.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.9.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.9.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.9.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
-1.9.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.9.0-dev+exp,true,error,error.message,text,core,,,Error message.
-1.9.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-1.9.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.9.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.9.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.9.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.9.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.9.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.9.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.9.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.9.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.9.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.9.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.9.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.9.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.9.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.9.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.9.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.9.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.9.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.9.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.9.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.9.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.9.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.9.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.9.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.9.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.9.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.9.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
-1.9.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.9.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
-1.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.9.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-1.9.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
-1.9.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-1.9.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-1.9.0-dev+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types.
-1.9.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-1.9.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-1.9.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-1.9.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-1.9.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-1.9.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-1.9.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-1.9.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-1.9.0-dev+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types.
-1.9.0-dev+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file.
-1.9.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-1.9.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-1.9.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-1.9.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-1.9.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-1.9.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-1.9.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-1.9.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-1.9.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-1.9.0-dev+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list.
-1.9.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-1.9.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-1.9.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
-1.9.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
-1.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-1.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.9.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.9.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.9.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.9.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-1.9.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-1.9.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-1.9.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-1.9.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information
-1.9.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-1.9.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information.
-1.9.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-1.9.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-1.9.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-1.9.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information
-1.9.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-1.9.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-1.9.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-1.9.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-1.9.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-1.9.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-1.9.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-1.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-1.9.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-1.9.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-1.9.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-1.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-1.9.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-1.9.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes.
-1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
-1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.9.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.9.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.9.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.9.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.9.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.9.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.9.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.9.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.9.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.9.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.9.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.9.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.9.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.9.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.9.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.9.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.9.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.9.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.9.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.9.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.9.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.9.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.9.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.9.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-1.9.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-1.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-1.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
-1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id.
-1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.9.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-1.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host.
-1.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-1.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-1.9.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-1.9.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-1.9.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.9.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.9.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.9.0-dev+exp,true,host,host.type,keyword,core,,,Type of host.
-1.9.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.9.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-1.9.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.9.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-1.9.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.9.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.9.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.9.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-1.9.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.9.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.9.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.9.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.9.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.9.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.9.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.9.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.9.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.9.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.9.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.9.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.9.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
-1.9.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.9.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.9.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.9.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.9.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.9.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.9.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.9.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.9.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.9.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.9.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.9.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.9.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.9.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.9.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.9.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.9.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.9.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.9.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.9.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.9.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.9.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.9.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.9.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.9.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-1.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.9.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.9.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.9.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.9.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.9.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.9.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.9.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version.
-1.9.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.9.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name.
-1.9.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name.
-1.9.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.9.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.9.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.9.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.9.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.9.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed.
-1.9.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.9.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name
-1.9.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.9.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.9.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.9.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type
-1.9.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-1.9.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
-1.9.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-1.9.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-1.9.0-dev+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types.
-1.9.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-1.9.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-1.9.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-1.9.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-1.9.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-1.9.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-1.9.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-1.9.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-1.9.0-dev+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types.
-1.9.0-dev+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file.
-1.9.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-1.9.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-1.9.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-1.9.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-1.9.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-1.9.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-1.9.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-1.9.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-1.9.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-1.9.0-dev+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list.
-1.9.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-1.9.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-1.9.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
-1.9.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
-1.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.9.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name.
-1.9.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name.
-1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-1.9.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types.
-1.9.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-1.9.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-1.9.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-1.9.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-1.9.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-1.9.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types.
-1.9.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-1.9.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list.
-1.9.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-1.9.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-1.9.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
-1.9.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
-1.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.9.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
-1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-1.9.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-1.9.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-1.9.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-1.9.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information
-1.9.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-1.9.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information.
-1.9.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-1.9.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-1.9.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-1.9.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information
-1.9.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-1.9.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-1.9.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-1.9.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-1.9.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-1.9.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-1.9.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-1.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-1.9.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-1.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-1.9.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-1.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-1.9.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-1.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id.
-1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.9.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.9.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.9.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
-1.9.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title.
-1.9.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title.
-1.9.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-1.9.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-1.9.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-1.9.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-1.9.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information
-1.9.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-1.9.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information.
-1.9.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-1.9.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-1.9.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-1.9.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information
-1.9.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-1.9.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-1.9.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-1.9.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-1.9.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-1.9.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-1.9.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-1.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-1.9.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-1.9.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-1.9.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-1.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-1.9.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-1.9.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id.
-1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.9.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.9.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
-1.9.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title.
-1.9.0-dev+exp,true,process,process.title.text,text,extended,,,Process title.
-1.9.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.9.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
-1.9.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.9.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.9.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.9.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.9.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.9.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.9.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.9.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.9.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.9.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.9.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.9.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.9.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.9.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.9.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.9.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.9.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.9.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.9.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.9.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.9.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.9.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address.
-1.9.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.9.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain.
-1.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server.
-1.9.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port
-1.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.9.0-dev+exp,true,server,server.port,long,core,,,Port of the server.
-1.9.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.9.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.9.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.9.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.9.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.9.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service.
-1.9.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.9.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.9.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address.
-1.9.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.9.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain.
-1.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source.
-1.9.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port
-1.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.9.0-dev+exp,true,source,source.port,long,core,,,Port of the source.
-1.9.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.9.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.9.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating
-1.9.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset
-1.9.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-1.9.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name
-1.9.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-1.9.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-1.9.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-1.9.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.9.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-1.9.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
-1.9.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.9.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-1.9.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.9.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-1.9.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.9.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.9.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.9.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-1.9.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.9.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-1.9.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.9.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.9.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-1.9.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks.
-1.9.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks.
-1.9.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.9.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.9.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-1.9.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-1.9.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
-1.9.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match
-1.9.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match
-1.9.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match
-1.9.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module
-1.9.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
-1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information
-1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
-1.9.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
-1.9.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
-1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
-1.9.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-1.9.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider.
-1.9.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.9.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.9.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.9.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.9.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.9.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.9.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-1.9.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-1.9.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-1.9.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-1.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.9.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.9.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.9.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.9.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.9.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.9.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.9.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.9.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.9.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.9.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.9.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.9.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.9.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.9.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.9.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.9.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.9.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.9.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.9.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.9.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.9.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.9.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.9.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.9.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.9.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.9.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.9.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.9.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.9.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.9.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.9.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.9.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.9.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.9.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.9.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.9.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.9.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.9.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.9.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.9.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.9.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.9.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.9.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.9.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.9.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.9.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.9.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.9.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.9.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.9.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.9.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
-1.9.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-1.9.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.9.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.9.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.9.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.9.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.9.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
-1.9.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-1.9.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.9.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
-1.9.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.9.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.9.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request.
-1.9.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address.
-1.9.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.9.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.9.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.9.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.9.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.9.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.9.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.9.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.9.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.9.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.9.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.9.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.9.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.9.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.9.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.9.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.9.0+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.9.0+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.9.0+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.9.0+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.9.0+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.9.0+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.9.0+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.9.0+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.9.0+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.9.0+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.9.0+exp,true,client,client.address,keyword,extended,,,Client network address.
+1.9.0+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.9.0+exp,true,client,client.domain,wildcard,core,,,Client domain.
+1.9.0+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,client,client.ip,ip,core,,,IP address of the client.
+1.9.0+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+1.9.0+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.9.0+exp,true,client,client.nat.port,long,extended,,,Client NAT port
+1.9.0+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.9.0+exp,true,client,client.port,long,core,,,Port of the client.
+1.9.0+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.9.0+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,client,client.user.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.9.0+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.9.0+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.9.0+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.9.0+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.9.0+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.9.0+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.9.0+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.9.0+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.9.0+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.9.0+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+1.9.0+exp,true,container,container.id,keyword,core,,,Unique container id.
+1.9.0+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.9.0+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.9.0+exp,true,container,container.labels,object,extended,,,Image labels.
+1.9.0+exp,true,container,container.name,keyword,extended,,,Container name.
+1.9.0+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.9.0+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+1.9.0+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+1.9.0+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+1.9.0+exp,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.9.0+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.9.0+exp,true,destination,destination.domain,wildcard,core,,,Destination domain.
+1.9.0+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.9.0+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+1.9.0+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.9.0+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.9.0+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.9.0+exp,true,destination,destination.port,long,core,,,Port of the destination.
+1.9.0+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.9.0+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,destination,destination.user.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.9.0+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.9.0+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+1.9.0+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information
+1.9.0+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+1.9.0+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+1.9.0+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+1.9.0+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+1.9.0+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+1.9.0+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information
+1.9.0+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+1.9.0+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.9.0+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.9.0+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
+1.9.0+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.9.0+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.9.0+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.9.0+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.9.0+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.9.0+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.9.0+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.9.0+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried.
+1.9.0+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.9.0+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.9.0+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.9.0+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.9.0+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.9.0+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.9.0+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.9.0+exp,true,error,error.code,keyword,core,,,Error code describing the error.
+1.9.0+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.9.0+exp,true,error,error.message,text,core,,,Error message.
+1.9.0+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+1.9.0+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.9.0+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.9.0+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.9.0+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.9.0+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.9.0+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.9.0+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.9.0+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.9.0+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.9.0+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.9.0+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.9.0+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.9.0+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.9.0+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.9.0+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.9.0+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.9.0+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.9.0+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.9.0+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.9.0+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.9.0+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.9.0+exp,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.9.0+exp,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.9.0+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.9.0+exp,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.9.0+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.9.0+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.9.0+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.9.0+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.9.0+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0+exp,true,file,file.created,date,extended,,,File creation time.
+1.9.0+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.9.0+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.9.0+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.9.0+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+1.9.0+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
+1.9.0+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+1.9.0+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+1.9.0+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types.
+1.9.0+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+1.9.0+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+1.9.0+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+1.9.0+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+1.9.0+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+1.9.0+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+1.9.0+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+1.9.0+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+1.9.0+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types.
+1.9.0+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file.
+1.9.0+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+1.9.0+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+1.9.0+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+1.9.0+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+1.9.0+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+1.9.0+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+1.9.0+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+1.9.0+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+1.9.0+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+1.9.0+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list.
+1.9.0+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+1.9.0+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+1.9.0+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
+1.9.0+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
+1.9.0+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.9.0+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.9.0+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.9.0+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.9.0+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.9.0+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.9.0+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.9.0+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.9.0+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.9.0+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+1.9.0+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0+exp,true,file,file.pe.debug,nested,extended,array,,Debug information
+1.9.0+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+1.9.0+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+1.9.0+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+1.9.0+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+1.9.0+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+1.9.0+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information
+1.9.0+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+1.9.0+exp,true,file,file.size,long,extended,,16384,File size in bytes.
+1.9.0+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
+1.9.0+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.9.0+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.9.0+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.9.0+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,group,group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.9.0+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+1.9.0+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+1.9.0+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+1.9.0+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.9.0+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host.
+1.9.0+exp,true,host,host.id,keyword,core,,,Unique host id.
+1.9.0+exp,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.9.0+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+1.9.0+exp,true,host,host.name,keyword,core,,,Name of the host.
+1.9.0+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+1.9.0+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+1.9.0+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+1.9.0+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+1.9.0+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0+exp,true,host,host.type,keyword,core,,,Type of host.
+1.9.0+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.9.0+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,host,host.user.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.9.0+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+1.9.0+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.9.0+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.9.0+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+1.9.0+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.9.0+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.9.0+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.9.0+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.9.0+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+1.9.0+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.9.0+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.9.0+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.9.0+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.9.0+exp,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.9.0+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.9.0+exp,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.9.0+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.9.0+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.9.0+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.9.0+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.9.0+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.9.0+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+1.9.0+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.9.0+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.9.0+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.9.0+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.9.0+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.9.0+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.9.0+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.9.0+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.9.0+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.9.0+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.9.0+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.9.0+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.9.0+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.9.0+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.9.0+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.9.0+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.9.0+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.9.0+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0+exp,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.9.0+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.9.0+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.9.0+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.9.0+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.9.0+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.9.0+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.9.0+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.9.0+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+1.9.0+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.9.0+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.9.0+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.9.0+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.9.0+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.9.0+exp,true,observer,observer.version,keyword,core,,,Observer version.
+1.9.0+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.9.0+exp,true,organization,organization.name,wildcard,extended,,,Organization name.
+1.9.0+exp,true,organization,organization.name.text,text,extended,,,Organization name.
+1.9.0+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.9.0+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.9.0+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.9.0+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.9.0+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.9.0+exp,true,package,package.installed,date,extended,,,Time when package was installed.
+1.9.0+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.9.0+exp,true,package,package.name,keyword,extended,,go,Package name
+1.9.0+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.9.0+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.9.0+exp,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.9.0+exp,true,package,package.type,keyword,extended,,rpm,Package type
+1.9.0+exp,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.9.0+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.9.0+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+1.9.0+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
+1.9.0+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+1.9.0+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+1.9.0+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types.
+1.9.0+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+1.9.0+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+1.9.0+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+1.9.0+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+1.9.0+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+1.9.0+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+1.9.0+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+1.9.0+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+1.9.0+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types.
+1.9.0+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file.
+1.9.0+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+1.9.0+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+1.9.0+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+1.9.0+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+1.9.0+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+1.9.0+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+1.9.0+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+1.9.0+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+1.9.0+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+1.9.0+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list.
+1.9.0+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+1.9.0+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+1.9.0+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
+1.9.0+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
+1.9.0+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.9.0+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0+exp,true,process,process.name,wildcard,extended,,ssh,Process name.
+1.9.0+exp,true,process,process.name.text,text,extended,,ssh,Process name.
+1.9.0+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.9.0+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+1.9.0+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file.
+1.9.0+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+1.9.0+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+1.9.0+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types.
+1.9.0+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+1.9.0+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+1.9.0+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+1.9.0+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+1.9.0+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+1.9.0+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+1.9.0+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+1.9.0+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+1.9.0+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types.
+1.9.0+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file.
+1.9.0+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+1.9.0+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+1.9.0+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+1.9.0+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+1.9.0+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+1.9.0+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+1.9.0+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+1.9.0+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+1.9.0+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+1.9.0+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list.
+1.9.0+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+1.9.0+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+1.9.0+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object
+1.9.0+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files
+1.9.0+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.9.0+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
+1.9.0+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.9.0+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+1.9.0+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information
+1.9.0+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+1.9.0+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+1.9.0+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+1.9.0+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+1.9.0+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+1.9.0+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information
+1.9.0+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+1.9.0+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0+exp,true,process,process.parent.pid,long,core,,4242,Process id.
+1.9.0+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.9.0+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.9.0+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name.
+1.9.0+exp,true,process,process.parent.title,wildcard,extended,,,Process title.
+1.9.0+exp,true,process,process.parent.title.text,text,extended,,,Process title.
+1.9.0+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+1.9.0+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0+exp,true,process,process.pe.debug,nested,extended,array,,Debug information
+1.9.0+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+1.9.0+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+1.9.0+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+1.9.0+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+1.9.0+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+1.9.0+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information
+1.9.0+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+1.9.0+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0+exp,true,process,process.pid,long,core,,4242,Process id.
+1.9.0+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.9.0+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.9.0+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name.
+1.9.0+exp,true,process,process.title,wildcard,extended,,,Process title.
+1.9.0+exp,true,process,process.title.text,text,extended,,,Process title.
+1.9.0+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process.
+1.9.0+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.9.0+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.9.0+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.9.0+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.9.0+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.9.0+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.9.0+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.9.0+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.9.0+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.9.0+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.9.0+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.9.0+exp,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.9.0+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.9.0+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.9.0+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.9.0+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.9.0+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.9.0+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.9.0+exp,true,server,server.address,keyword,extended,,,Server network address.
+1.9.0+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.9.0+exp,true,server,server.domain,wildcard,core,,,Server domain.
+1.9.0+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,server,server.ip,ip,core,,,IP address of the server.
+1.9.0+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+1.9.0+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.9.0+exp,true,server,server.nat.port,long,extended,,,Server NAT port
+1.9.0+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.9.0+exp,true,server,server.port,long,core,,,Port of the server.
+1.9.0+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.9.0+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,server,server.user.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.9.0+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.9.0+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.9.0+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.9.0+exp,true,service,service.state,keyword,core,,,Current state of the service.
+1.9.0+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.9.0+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.9.0+exp,true,source,source.address,keyword,extended,,,Source network address.
+1.9.0+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.9.0+exp,true,source,source.domain,wildcard,core,,,Source domain.
+1.9.0+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,source,source.ip,ip,core,,,IP address of the source.
+1.9.0+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+1.9.0+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.9.0+exp,true,source,source.nat.port,long,extended,,,Source NAT port
+1.9.0+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.9.0+exp,true,source,source.port,long,core,,,Port of the source.
+1.9.0+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.9.0+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,source,source.user.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.9.0+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.9.0+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name.
+1.9.0+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating
+1.9.0+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset
+1.9.0+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+1.9.0+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name
+1.9.0+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+1.9.0+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+1.9.0+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+1.9.0+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.9.0+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+1.9.0+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located.
+1.9.0+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.9.0+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.9.0+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+1.9.0+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.9.0+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.9.0+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.9.0+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+1.9.0+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.9.0+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+1.9.0+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+1.9.0+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks.
+1.9.0+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks.
+1.9.0+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.9.0+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.9.0+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+1.9.0+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location.
+1.9.0+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+1.9.0+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+1.9.0+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking
+1.9.0+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match
+1.9.0+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match
+1.9.0+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match
+1.9.0+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module
+1.9.0+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file.
+1.9.0+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file.
+1.9.0+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler
+1.9.0+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler.
+1.9.0+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date.
+1.9.0+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information
+1.9.0+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information.
+1.9.0+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information.
+1.9.0+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information.
+1.9.0+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options.
+1.9.0+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file.
+1.9.0+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE
+1.9.0+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail.
+1.9.0+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions
+1.9.0+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file.
+1.9.0+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used.
+1.9.0+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information
+1.9.0+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution.
+1.9.0+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section.
+1.9.0+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section.
+1.9.0+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification.
+1.9.0+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section.
+1.9.0+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types.
+1.9.0+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file.
+1.9.0+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE
+1.9.0+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution.
+1.9.0+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file.
+1.9.0+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file.
+1.9.0+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file.
+1.9.0+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk.
+1.9.0+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file.
+1.9.0+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+1.9.0+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider.
+1.9.0+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.9.0+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.9.0+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.9.0+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+1.9.0+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+1.9.0+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+1.9.0+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+1.9.0+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.9.0+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.9.0+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.9.0+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.9.0+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.9.0+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.9.0+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.9.0+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.9.0+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.9.0+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.9.0+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.9.0+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.9.0+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.9.0+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.9.0+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.9.0+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.9.0+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.9.0+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.9.0+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.9.0+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.9.0+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.9.0+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.9.0+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.9.0+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.9.0+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.9.0+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.9.0+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.9.0+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.9.0+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.9.0+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.9.0+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.9.0+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.9.0+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.9.0+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.9.0+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.9.0+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.9.0+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.9.0+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.9.0+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.9.0+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.9.0+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.9.0+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.9.0+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url.
+1.9.0+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+1.9.0+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.9.0+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0+exp,true,url,url.password,keyword,extended,,,Password of the request.
+1.9.0+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+1.9.0+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.9.0+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+1.9.0+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.9.0+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.9.0+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0+exp,true,url,url.username,keyword,extended,,,Username of the request.
+1.9.0+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,user,user.changes.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,user,user.effective.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,user,user.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0+exp,true,user,user.target.email,wildcard,extended,,,User email address.
+1.9.0+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.9.0+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.9.0+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.9.0+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.9.0+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.9.0+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.9.0+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.9.0+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.9.0+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.9.0+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.9.0+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.9.0+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.9.0+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.9.0+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
index ccc3dda09f..cfc5da9ee4 100644
--- a/experimental/generated/elasticsearch/7/template.json
+++ b/experimental/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.9.0-dev+exp"
+      "version": "1.9.0+exp"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json
index 2ee628913a..f87d76bed3 100644
--- a/experimental/generated/elasticsearch/component/agent.json
+++ b/experimental/generated/elasticsearch/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json
index d02df1ef01..b7db5868a2 100644
--- a/experimental/generated/elasticsearch/component/base.json
+++ b/experimental/generated/elasticsearch/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json
index df7ef337a3..eabfd25f03 100644
--- a/experimental/generated/elasticsearch/component/client.json
+++ b/experimental/generated/elasticsearch/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json
index b33d205acc..c3326cf516 100644
--- a/experimental/generated/elasticsearch/component/cloud.json
+++ b/experimental/generated/elasticsearch/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json
index f8c4f440af..ebbcd24b84 100644
--- a/experimental/generated/elasticsearch/component/container.json
+++ b/experimental/generated/elasticsearch/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/data_stream.json b/experimental/generated/elasticsearch/component/data_stream.json
index 3d4d93c586..6246f66460 100644
--- a/experimental/generated/elasticsearch/component/data_stream.json
+++ b/experimental/generated/elasticsearch/component/data_stream.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json
index cff46d3ea5..7714d496cc 100644
--- a/experimental/generated/elasticsearch/component/destination.json
+++ b/experimental/generated/elasticsearch/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json
index 73857865a8..56ca839a3b 100644
--- a/experimental/generated/elasticsearch/component/dll.json
+++ b/experimental/generated/elasticsearch/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json
index 4b1544f730..5764ea298f 100644
--- a/experimental/generated/elasticsearch/component/dns.json
+++ b/experimental/generated/elasticsearch/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json
index 201b6c8afa..fe581bdda8 100644
--- a/experimental/generated/elasticsearch/component/ecs.json
+++ b/experimental/generated/elasticsearch/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json
index 1a78f012f5..d1735bad21 100644
--- a/experimental/generated/elasticsearch/component/error.json
+++ b/experimental/generated/elasticsearch/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json
index 023b3609e4..d383de0f1c 100644
--- a/experimental/generated/elasticsearch/component/event.json
+++ b/experimental/generated/elasticsearch/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json
index d829ebfd29..ec1a41db7d 100644
--- a/experimental/generated/elasticsearch/component/file.json
+++ b/experimental/generated/elasticsearch/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json
index af27bad40e..6160bfd2c7 100644
--- a/experimental/generated/elasticsearch/component/group.json
+++ b/experimental/generated/elasticsearch/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json
index 2d503d0b39..ec54426c07 100644
--- a/experimental/generated/elasticsearch/component/host.json
+++ b/experimental/generated/elasticsearch/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json
index 3b79b53c86..3e21dbe1d9 100644
--- a/experimental/generated/elasticsearch/component/http.json
+++ b/experimental/generated/elasticsearch/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json
index 0781701d8e..053a430d6e 100644
--- a/experimental/generated/elasticsearch/component/log.json
+++ b/experimental/generated/elasticsearch/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json
index e77b7b3980..816e0b595e 100644
--- a/experimental/generated/elasticsearch/component/network.json
+++ b/experimental/generated/elasticsearch/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json
index 6a36b4bbaf..494b2c54ef 100644
--- a/experimental/generated/elasticsearch/component/observer.json
+++ b/experimental/generated/elasticsearch/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json
index 00a4d1a501..311ea5f8a8 100644
--- a/experimental/generated/elasticsearch/component/organization.json
+++ b/experimental/generated/elasticsearch/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json
index 12913eecc9..06e7cd054e 100644
--- a/experimental/generated/elasticsearch/component/package.json
+++ b/experimental/generated/elasticsearch/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json
index 75adf5c85c..f363d85f62 100644
--- a/experimental/generated/elasticsearch/component/process.json
+++ b/experimental/generated/elasticsearch/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json
index 1eb688adec..003245e99d 100644
--- a/experimental/generated/elasticsearch/component/registry.json
+++ b/experimental/generated/elasticsearch/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json
index 498b911430..435476ee0d 100644
--- a/experimental/generated/elasticsearch/component/related.json
+++ b/experimental/generated/elasticsearch/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json
index c93278e7cd..8a79310bab 100644
--- a/experimental/generated/elasticsearch/component/rule.json
+++ b/experimental/generated/elasticsearch/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json
index 6bb1f55c3c..536c1482c7 100644
--- a/experimental/generated/elasticsearch/component/server.json
+++ b/experimental/generated/elasticsearch/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json
index e4567b3636..9f6077274c 100644
--- a/experimental/generated/elasticsearch/component/service.json
+++ b/experimental/generated/elasticsearch/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json
index 9832312beb..90734dc2dd 100644
--- a/experimental/generated/elasticsearch/component/source.json
+++ b/experimental/generated/elasticsearch/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json
index 6c55f638e4..6b0c247094 100644
--- a/experimental/generated/elasticsearch/component/threat.json
+++ b/experimental/generated/elasticsearch/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json
index 340e30449a..a75258a276 100644
--- a/experimental/generated/elasticsearch/component/tls.json
+++ b/experimental/generated/elasticsearch/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json
index 8efefe3463..395dba51dc 100644
--- a/experimental/generated/elasticsearch/component/tracing.json
+++ b/experimental/generated/elasticsearch/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json
index 29f8ee9338..71aa660c06 100644
--- a/experimental/generated/elasticsearch/component/url.json
+++ b/experimental/generated/elasticsearch/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json
index 85fa6d4f9e..299d65a4a2 100644
--- a/experimental/generated/elasticsearch/component/user.json
+++ b/experimental/generated/elasticsearch/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json
index a336ce44ed..545014aca1 100644
--- a/experimental/generated/elasticsearch/component/user_agent.json
+++ b/experimental/generated/elasticsearch/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json
index a287339ab1..caa5d2c1a9 100644
--- a/experimental/generated/elasticsearch/component/vulnerability.json
+++ b/experimental/generated/elasticsearch/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "template": {
     "mappings": {
diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json
index f81f6b49dc..5a6f86943c 100644
--- a/experimental/generated/elasticsearch/template.json
+++ b/experimental/generated/elasticsearch/template.json
@@ -1,44 +1,44 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "1.9.0-dev+exp"
+    "ecs_version": "1.9.0+exp"
   },
   "composed_of": [
-    "ecs_1.9.0-dev-exp_agent",
-    "ecs_1.9.0-dev-exp_base",
-    "ecs_1.9.0-dev-exp_client",
-    "ecs_1.9.0-dev-exp_cloud",
-    "ecs_1.9.0-dev-exp_container",
-    "ecs_1.9.0-dev-exp_destination",
-    "ecs_1.9.0-dev-exp_dll",
-    "ecs_1.9.0-dev-exp_dns",
-    "ecs_1.9.0-dev-exp_ecs",
-    "ecs_1.9.0-dev-exp_error",
-    "ecs_1.9.0-dev-exp_event",
-    "ecs_1.9.0-dev-exp_file",
-    "ecs_1.9.0-dev-exp_group",
-    "ecs_1.9.0-dev-exp_host",
-    "ecs_1.9.0-dev-exp_http",
-    "ecs_1.9.0-dev-exp_log",
-    "ecs_1.9.0-dev-exp_network",
-    "ecs_1.9.0-dev-exp_observer",
-    "ecs_1.9.0-dev-exp_organization",
-    "ecs_1.9.0-dev-exp_package",
-    "ecs_1.9.0-dev-exp_process",
-    "ecs_1.9.0-dev-exp_registry",
-    "ecs_1.9.0-dev-exp_related",
-    "ecs_1.9.0-dev-exp_rule",
-    "ecs_1.9.0-dev-exp_server",
-    "ecs_1.9.0-dev-exp_service",
-    "ecs_1.9.0-dev-exp_source",
-    "ecs_1.9.0-dev-exp_threat",
-    "ecs_1.9.0-dev-exp_tls",
-    "ecs_1.9.0-dev-exp_tracing",
-    "ecs_1.9.0-dev-exp_url",
-    "ecs_1.9.0-dev-exp_user",
-    "ecs_1.9.0-dev-exp_user_agent",
-    "ecs_1.9.0-dev-exp_vulnerability",
-    "ecs_1.9.0-dev-exp_data_stream"
+    "ecs_1.9.0-exp_agent",
+    "ecs_1.9.0-exp_base",
+    "ecs_1.9.0-exp_client",
+    "ecs_1.9.0-exp_cloud",
+    "ecs_1.9.0-exp_container",
+    "ecs_1.9.0-exp_destination",
+    "ecs_1.9.0-exp_dll",
+    "ecs_1.9.0-exp_dns",
+    "ecs_1.9.0-exp_ecs",
+    "ecs_1.9.0-exp_error",
+    "ecs_1.9.0-exp_event",
+    "ecs_1.9.0-exp_file",
+    "ecs_1.9.0-exp_group",
+    "ecs_1.9.0-exp_host",
+    "ecs_1.9.0-exp_http",
+    "ecs_1.9.0-exp_log",
+    "ecs_1.9.0-exp_network",
+    "ecs_1.9.0-exp_observer",
+    "ecs_1.9.0-exp_organization",
+    "ecs_1.9.0-exp_package",
+    "ecs_1.9.0-exp_process",
+    "ecs_1.9.0-exp_registry",
+    "ecs_1.9.0-exp_related",
+    "ecs_1.9.0-exp_rule",
+    "ecs_1.9.0-exp_server",
+    "ecs_1.9.0-exp_service",
+    "ecs_1.9.0-exp_source",
+    "ecs_1.9.0-exp_threat",
+    "ecs_1.9.0-exp_tls",
+    "ecs_1.9.0-exp_tracing",
+    "ecs_1.9.0-exp_url",
+    "ecs_1.9.0-exp_user",
+    "ecs_1.9.0-exp_user_agent",
+    "ecs_1.9.0-exp_vulnerability",
+    "ecs_1.9.0-exp_data_stream"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4c51a421e6..5a6093e48d 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -1,5 +1,5 @@
 # WARNING! Do not edit this file directly, it was generated by the ECS project,
-# based on ECS version 1.9.0-dev.
+# based on ECS version 1.9.0.
 # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
 
 - key: ecs
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index ad9d04f737..19a95ab9a3 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,763 +1,763 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-1.9.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-1.9.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
-1.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.9.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-1.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-1.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-1.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-1.9.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-1.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-1.9.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-1.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.9.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-1.9.0-dev,true,client,client.domain,keyword,core,,,Client domain.
-1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-1.9.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-1.9.0-dev,true,client,client.port,long,core,,,Port of the client.
-1.9.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-1.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-1.9.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-1.9.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-1.9.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
-1.9.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-1.9.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-1.9.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-1.9.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-1.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-1.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-1.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
-1.9.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-1.9.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-1.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-1.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-1.9.0-dev,true,container,container.labels,object,extended,,,Image labels.
-1.9.0-dev,true,container,container.name,keyword,extended,,,Container name.
-1.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-1.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-1.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.9.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-1.9.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain.
-1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-1.9.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-1.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-1.9.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-1.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-1.9.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-1.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-1.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-1.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-1.9.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-1.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-1.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-1.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-1.9.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-1.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-1.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-1.9.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-1.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-1.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-1.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-1.9.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-1.9.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-1.9.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-1.9.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-1.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-1.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-1.9.0-dev,true,error,error.message,text,core,,,Error message.
-1.9.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
-1.9.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
-1.9.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-1.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-1.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-1.9.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-1.9.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-1.9.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-1.9.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
-1.9.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.9.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-1.9.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-1.9.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-1.9.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-1.9.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.9.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-1.9.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-1.9.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-1.9.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-1.9.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.9.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-1.9.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-1.9.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-1.9.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
-1.9.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-1.9.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-1.9.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev,true,file,file.created,date,extended,,,File creation time.
-1.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-1.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-1.9.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-1.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-1.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-1.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-1.9.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-1.9.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-1.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-1.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-1.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-1.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-1.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-1.9.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.9.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-1.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-1.9.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-1.9.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
-1.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-1.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.9.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.9.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.9.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.9.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.9.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.9.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.9.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.9.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.9.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-1.9.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-1.9.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-1.9.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-1.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-1.9.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-1.9.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-1.9.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-1.9.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.9.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.9.0-dev,true,host,host.type,keyword,core,,,Type of host.
-1.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-1.9.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,host,host.user.email,keyword,extended,,,User email address.
-1.9.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-1.9.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
-1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
-1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-1.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
-1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-1.9.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-1.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-1.9.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
-1.9.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
-1.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-1.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-1.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-1.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-1.9.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-1.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-1.9.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.9.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
-1.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-1.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-1.9.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.9.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-1.9.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-1.9.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-1.9.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-1.9.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-1.9.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-1.9.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-1.9.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-1.9.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.9.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-1.9.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.9.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-1.9.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-1.9.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-1.9.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-1.9.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
-1.9.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-1.9.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.9.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-1.9.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-1.9.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-1.9.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-1.9.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-1.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-1.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-1.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-1.9.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-1.9.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-1.9.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-1.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-1.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-1.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-1.9.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.9.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.9.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-1.9.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-1.9.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-1.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-1.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-1.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-1.9.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-1.9.0-dev,true,organization,organization.name.text,text,extended,,,Organization name.
-1.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-1.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.9.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.9.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.9.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-1.9.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-1.9.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-1.9.0-dev,true,package,package.name,keyword,extended,,go,Package name
-1.9.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.9.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-1.9.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-1.9.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-1.9.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.9.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-1.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
-1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-1.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-1.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-1.9.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-1.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-1.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-1.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-1.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-1.9.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
-1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-1.9.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
-1.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-1.9.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-1.9.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-1.9.0-dev,true,process,process.parent.title.text,text,extended,,,Process title.
-1.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-1.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-1.9.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-1.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-1.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-1.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-1.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-1.9.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-1.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-1.9.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
-1.9.0-dev,true,process,process.pid,long,core,,4242,Process id.
-1.9.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid.
-1.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-1.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-1.9.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-1.9.0-dev,true,process,process.title,keyword,extended,,,Process title.
-1.9.0-dev,true,process,process.title.text,text,extended,,,Process title.
-1.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-1.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-1.9.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
-1.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-1.9.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-1.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-1.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-1.9.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-1.9.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-1.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-1.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-1.9.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-1.9.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
-1.9.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-1.9.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-1.9.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-1.9.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-1.9.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-1.9.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-1.9.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-1.9.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-1.9.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-1.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-1.9.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-1.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.9.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-1.9.0-dev,true,server,server.domain,keyword,core,,,Server domain.
-1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-1.9.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-1.9.0-dev,true,server,server.port,long,core,,,Port of the server.
-1.9.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-1.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-1.9.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-1.9.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.9.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-1.9.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-1.9.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-1.9.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-1.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-1.9.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-1.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-1.9.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-1.9.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
-1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-1.9.0-dev,true,source,source.domain,keyword,core,,,Source domain.
-1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-1.9.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-1.9.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-1.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-1.9.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-1.9.0-dev,true,source,source.port,long,core,,,Port of the source.
-1.9.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-1.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-1.9.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-1.9.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.9.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-1.9.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-1.9.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-1.9.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-1.9.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-1.9.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
-1.9.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-1.9.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-1.9.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-1.9.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
-1.9.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-1.9.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.9.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-1.9.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-1.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-1.9.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-1.9.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-1.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.9.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.9.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.9.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.9.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.9.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.9.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.9.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.9.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.9.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.9.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-1.9.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.9.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-1.9.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-1.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-1.9.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.9.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-1.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-1.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
-1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-1.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-1.9.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
-1.9.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
-1.9.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-1.9.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-1.9.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-1.9.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-1.9.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-1.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-1.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-1.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
-1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-1.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-1.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-1.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-1.9.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-1.9.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-1.9.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-1.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-1.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-1.9.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-1.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-1.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-1.9.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.9.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.9.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.9.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-1.9.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
-1.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-1.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-1.9.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-1.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-1.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-1.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-1.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-1.9.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-1.9.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,user,user.email,keyword,extended,,,User email address.
-1.9.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-1.9.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-1.9.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
-1.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-1.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-1.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-1.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-1.9.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
-1.9.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
-1.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-1.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-1.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-1.9.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.9.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-1.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.9.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-1.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.9.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
-1.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
-1.9.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-1.9.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-1.9.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.9.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-1.9.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-1.9.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-1.9.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-1.9.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-1.9.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-1.9.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+1.9.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.9.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+1.9.0,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer.
+1.9.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.9.0,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+1.9.0,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+1.9.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+1.9.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+1.9.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+1.9.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+1.9.0,true,client,client.address,keyword,extended,,,Client network address.
+1.9.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.9.0,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+1.9.0,true,client,client.domain,keyword,core,,,Client domain.
+1.9.0,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0,true,client,client.ip,ip,core,,,IP address of the client.
+1.9.0,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+1.9.0,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+1.9.0,true,client,client.nat.port,long,extended,,,Client NAT port
+1.9.0,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+1.9.0,true,client,client.port,long,core,,,Port of the client.
+1.9.0,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+1.9.0,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,client,client.user.email,keyword,extended,,,User email address.
+1.9.0,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+1.9.0,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+1.9.0,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
+1.9.0,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+1.9.0,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+1.9.0,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+1.9.0,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+1.9.0,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+1.9.0,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+1.9.0,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.9.0,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+1.9.0,true,container,container.id,keyword,core,,,Unique container id.
+1.9.0,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+1.9.0,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+1.9.0,true,container,container.labels,object,extended,,,Image labels.
+1.9.0,true,container,container.name,keyword,extended,,,Container name.
+1.9.0,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+1.9.0,true,destination,destination.address,keyword,extended,,,Destination network address.
+1.9.0,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.9.0,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+1.9.0,true,destination,destination.domain,keyword,core,,,Destination domain.
+1.9.0,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0,true,destination,destination.ip,ip,core,,,IP address of the destination.
+1.9.0,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+1.9.0,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+1.9.0,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+1.9.0,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+1.9.0,true,destination,destination.port,long,core,,,Port of the destination.
+1.9.0,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+1.9.0,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,destination,destination.user.email,keyword,extended,,,User email address.
+1.9.0,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.9.0,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+1.9.0,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+1.9.0,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+1.9.0,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+1.9.0,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+1.9.0,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+1.9.0,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+1.9.0,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+1.9.0,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.9.0,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+1.9.0,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+1.9.0,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+1.9.0,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+1.9.0,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+1.9.0,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+1.9.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+1.9.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+1.9.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+1.9.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+1.9.0,true,error,error.code,keyword,core,,,Error code describing the error.
+1.9.0,true,error,error.id,keyword,core,,,Unique identifier for the error.
+1.9.0,true,error,error.message,text,core,,,Error message.
+1.9.0,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text.
+1.9.0,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text.
+1.9.0,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.9.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+1.9.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+1.9.0,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+1.9.0,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+1.9.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+1.9.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+1.9.0,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
+1.9.0,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.9.0,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+1.9.0,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+1.9.0,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+1.9.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+1.9.0,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.9.0,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+1.9.0,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+1.9.0,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+1.9.0,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+1.9.0,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.9.0,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+1.9.0,true,event,event.sequence,long,extended,,,Sequence number of the event.
+1.9.0,true,event,event.severity,long,core,,7,Numeric severity of the event.
+1.9.0,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
+1.9.0,true,event,event.timezone,keyword,extended,,,Event time zone.
+1.9.0,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+1.9.0,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+1.9.0,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+1.9.0,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.9.0,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0,true,file,file.created,date,extended,,,File creation time.
+1.9.0,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+1.9.0,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+1.9.0,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+1.9.0,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+1.9.0,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+1.9.0,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+1.9.0,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+1.9.0,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+1.9.0,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+1.9.0,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+1.9.0,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+1.9.0,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+1.9.0,true,file,file.owner,keyword,extended,,alice,File owner's username.
+1.9.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+1.9.0,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0,true,file,file.size,long,extended,,16384,File size in bytes.
+1.9.0,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+1.9.0,true,file,file.target_path.text,text,extended,,,Target path for symlinks.
+1.9.0,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+1.9.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.9.0,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,group,group.name,keyword,extended,,,Name of the group.
+1.9.0,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+1.9.0,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+1.9.0,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+1.9.0,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+1.9.0,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+1.9.0,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0,true,host,host.hostname,keyword,core,,,Hostname of the host.
+1.9.0,true,host,host.id,keyword,core,,,Unique host id.
+1.9.0,true,host,host.ip,ip,core,array,,Host ip addresses.
+1.9.0,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+1.9.0,true,host,host.name,keyword,core,,,Name of the host.
+1.9.0,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+1.9.0,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+1.9.0,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+1.9.0,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+1.9.0,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0,true,host,host.type,keyword,core,,,Type of host.
+1.9.0,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+1.9.0,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,host,host.user.email,keyword,extended,,,User email address.
+1.9.0,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,host,host.user.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+1.9.0,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
+1.9.0,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
+1.9.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+1.9.0,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+1.9.0,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
+1.9.0,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+1.9.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+1.9.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+1.9.0,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body.
+1.9.0,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
+1.9.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+1.9.0,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+1.9.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+1.9.0,true,http,http.version,keyword,extended,,1.1,HTTP version.
+1.9.0,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+1.9.0,true,log,log.level,keyword,core,,error,Log level of the log event.
+1.9.0,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.9.0,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event.
+1.9.0,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+1.9.0,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+1.9.0,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.9.0,true,log,log.syslog,object,extended,,,Syslog metadata
+1.9.0,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+1.9.0,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+1.9.0,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+1.9.0,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+1.9.0,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+1.9.0,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+1.9.0,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+1.9.0,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.9.0,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+1.9.0,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.9.0,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+1.9.0,true,network,network.inner,object,extended,,,Inner VLAN tag information
+1.9.0,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+1.9.0,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+1.9.0,true,network,network.protocol,keyword,core,,http,L7 Network protocol name.
+1.9.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+1.9.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.9.0,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0,true,observer,observer.egress,object,extended,,,Object field for egress information
+1.9.0,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+1.9.0,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+1.9.0,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+1.9.0,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+1.9.0,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+1.9.0,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+1.9.0,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+1.9.0,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+1.9.0,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+1.9.0,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+1.9.0,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+1.9.0,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+1.9.0,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+1.9.0,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+1.9.0,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+1.9.0,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+1.9.0,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+1.9.0,true,observer,observer.version,keyword,core,,,Observer version.
+1.9.0,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+1.9.0,true,organization,organization.name,keyword,extended,,,Organization name.
+1.9.0,true,organization,organization.name.text,text,extended,,,Organization name.
+1.9.0,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+1.9.0,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.9.0,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.9.0,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.9.0,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+1.9.0,true,package,package.installed,date,extended,,,Time when package was installed.
+1.9.0,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+1.9.0,true,package,package.name,keyword,extended,,go,Package name
+1.9.0,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.9.0,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+1.9.0,true,package,package.size,long,extended,,62231,Package size in bytes.
+1.9.0,true,package,package.type,keyword,extended,,rpm,Package type
+1.9.0,true,package,package.version,keyword,extended,,1.12.9,Package version
+1.9.0,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.9.0,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+1.9.0,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0,true,process,process.name,keyword,extended,,ssh,Process name.
+1.9.0,true,process,process.name.text,text,extended,,ssh,Process name.
+1.9.0,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+1.9.0,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.9.0,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+1.9.0,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.9.0,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+1.9.0,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.9.0,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+1.9.0,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.9.0,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+1.9.0,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+1.9.0,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+1.9.0,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+1.9.0,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+1.9.0,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+1.9.0,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+1.9.0,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+1.9.0,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+1.9.0,true,process,process.parent.name.text,text,extended,,ssh,Process name.
+1.9.0,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0,true,process,process.parent.pid,long,core,,4242,Process id.
+1.9.0,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid.
+1.9.0,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+1.9.0,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+1.9.0,true,process,process.parent.title,keyword,extended,,,Process title.
+1.9.0,true,process,process.parent.title.text,text,extended,,,Process title.
+1.9.0,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.9.0,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+1.9.0,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+1.9.0,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+1.9.0,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+1.9.0,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+1.9.0,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+1.9.0,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+1.9.0,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
+1.9.0,true,process,process.pid,long,core,,4242,Process id.
+1.9.0,true,process,process.ppid,long,extended,,4241,Parent process' pid.
+1.9.0,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+1.9.0,true,process,process.thread.id,long,extended,,4242,Thread ID.
+1.9.0,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+1.9.0,true,process,process.title,keyword,extended,,,Process title.
+1.9.0,true,process,process.title.text,text,extended,,,Process title.
+1.9.0,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+1.9.0,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+1.9.0,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process.
+1.9.0,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.9.0,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.9.0,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+1.9.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+1.9.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.9.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.9.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+1.9.0,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.9.0,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+1.9.0,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+1.9.0,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
+1.9.0,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+1.9.0,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+1.9.0,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.9.0,true,rule,rule.id,keyword,extended,,101,Rule ID
+1.9.0,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+1.9.0,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+1.9.0,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.9.0,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+1.9.0,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+1.9.0,true,rule,rule.version,keyword,extended,,1.1,Rule version
+1.9.0,true,server,server.address,keyword,extended,,,Server network address.
+1.9.0,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.9.0,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+1.9.0,true,server,server.domain,keyword,core,,,Server domain.
+1.9.0,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0,true,server,server.ip,ip,core,,,IP address of the server.
+1.9.0,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+1.9.0,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+1.9.0,true,server,server.nat.port,long,extended,,,Server NAT port
+1.9.0,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+1.9.0,true,server,server.port,long,core,,,Port of the server.
+1.9.0,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+1.9.0,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,server,server.user.email,keyword,extended,,,User email address.
+1.9.0,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+1.9.0,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.9.0,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+1.9.0,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+1.9.0,true,service,service.state,keyword,core,,,Current state of the service.
+1.9.0,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+1.9.0,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+1.9.0,true,source,source.address,keyword,extended,,,Source network address.
+1.9.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+1.9.0,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+1.9.0,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name.
+1.9.0,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+1.9.0,true,source,source.domain,keyword,core,,,Source domain.
+1.9.0,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+1.9.0,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+1.9.0,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+1.9.0,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+1.9.0,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+1.9.0,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.9.0,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+1.9.0,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+1.9.0,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+1.9.0,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+1.9.0,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+1.9.0,true,source,source.ip,ip,core,,,IP address of the source.
+1.9.0,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+1.9.0,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+1.9.0,true,source,source.nat.port,long,extended,,,Source NAT port
+1.9.0,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+1.9.0,true,source,source.port,long,core,,,Port of the source.
+1.9.0,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+1.9.0,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,source,source.user.email,keyword,extended,,,User email address.
+1.9.0,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+1.9.0,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+1.9.0,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.9.0,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.9.0,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.9.0,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.9.0,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.9.0,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.9.0,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.9.0,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.9.0,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.9.0,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.9.0,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+1.9.0,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.9.0,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+1.9.0,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+1.9.0,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+1.9.0,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+1.9.0,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+1.9.0,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.9.0,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.9.0,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.9.0,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.9.0,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+1.9.0,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.9.0,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+1.9.0,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.9.0,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.9.0,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+1.9.0,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.9.0,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+1.9.0,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+1.9.0,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+1.9.0,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+1.9.0,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+1.9.0,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.9.0,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.9.0,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.9.0,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.9.0,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+1.9.0,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+1.9.0,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+1.9.0,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes
+1.9.0,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+1.9.0,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+1.9.0,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+1.9.0,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+1.9.0,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid.
+1.9.0,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid.
+1.9.0,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+1.9.0,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+1.9.0,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+1.9.0,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+1.9.0,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+1.9.0,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+1.9.0,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+1.9.0,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code
+1.9.0,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+1.9.0,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+1.9.0,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+1.9.0,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+1.9.0,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+1.9.0,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+1.9.0,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+1.9.0,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+1.9.0,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.9.0,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+1.9.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+1.9.0,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+1.9.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+1.9.0,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.9.0,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.9.0,true,url,url.password,keyword,extended,,,Password of the request.
+1.9.0,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""."
+1.9.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+1.9.0,true,url,url.query,keyword,extended,,,Query string of the request.
+1.9.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+1.9.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+1.9.0,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+1.9.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.9.0,true,url,url.username,keyword,extended,,,Username of the request.
+1.9.0,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,user,user.changes.email,keyword,extended,,,User email address.
+1.9.0,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,user,user.effective.email,keyword,extended,,,User email address.
+1.9.0,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,user,user.email,keyword,extended,,,User email address.
+1.9.0,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,user,user.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,user,user.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,user,user.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.9.0,true,user,user.target.email,keyword,extended,,,User email address.
+1.9.0,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.9.0,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.9.0,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.9.0,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.9.0,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.9.0,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.9.0,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+1.9.0,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+1.9.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+1.9.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+1.9.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+1.9.0,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.9.0,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+1.9.0,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.9.0,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version."
+1.9.0,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.9.0,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+1.9.0,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+1.9.0,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+1.9.0,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+1.9.0,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+1.9.0,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.9.0,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+1.9.0,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+1.9.0,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.9.0,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+1.9.0,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+1.9.0,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+1.9.0,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+1.9.0,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+1.9.0,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+1.9.0,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 02dc242340..2bb27f4e28 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -5,7 +5,7 @@
   "mappings": {
     "_doc": {
       "_meta": {
-        "version": "1.9.0-dev"
+        "version": "1.9.0"
       },
       "date_detection": false,
       "dynamic_templates": [
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 43a7d275c6..b4285d24de 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -4,7 +4,7 @@
   ],
   "mappings": {
     "_meta": {
-      "version": "1.9.0-dev"
+      "version": "1.9.0"
     },
     "date_detection": false,
     "dynamic_templates": [
diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json
index c2b08b44de..218bb33576 100644
--- a/generated/elasticsearch/component/agent.json
+++ b/generated/elasticsearch/component/agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json
index 406ed0981d..65d4bb02a7 100644
--- a/generated/elasticsearch/component/base.json
+++ b/generated/elasticsearch/component/base.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json
index 59e1c4fac5..1c159ce12e 100644
--- a/generated/elasticsearch/component/client.json
+++ b/generated/elasticsearch/component/client.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json
index f106357123..213fe31dee 100644
--- a/generated/elasticsearch/component/cloud.json
+++ b/generated/elasticsearch/component/cloud.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json
index b7c8e6858e..80b5f22928 100644
--- a/generated/elasticsearch/component/container.json
+++ b/generated/elasticsearch/component/container.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json
index d7babcf058..2cca4148d6 100644
--- a/generated/elasticsearch/component/destination.json
+++ b/generated/elasticsearch/component/destination.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json
index 29a41ba873..bdb47d8e88 100644
--- a/generated/elasticsearch/component/dll.json
+++ b/generated/elasticsearch/component/dll.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json
index a27dd8b739..4db2063beb 100644
--- a/generated/elasticsearch/component/dns.json
+++ b/generated/elasticsearch/component/dns.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json
index 561892a4ed..70cf6c4dd9 100644
--- a/generated/elasticsearch/component/ecs.json
+++ b/generated/elasticsearch/component/ecs.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json
index 1364cd968c..0a121fd81e 100644
--- a/generated/elasticsearch/component/error.json
+++ b/generated/elasticsearch/component/error.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json
index 06bcdfae66..0ddd788827 100644
--- a/generated/elasticsearch/component/event.json
+++ b/generated/elasticsearch/component/event.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json
index fa355f9f35..9dbae0880e 100644
--- a/generated/elasticsearch/component/file.json
+++ b/generated/elasticsearch/component/file.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json
index 13d6a829a5..7225dc3300 100644
--- a/generated/elasticsearch/component/group.json
+++ b/generated/elasticsearch/component/group.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json
index e4ee59abbc..760e5e1e3c 100644
--- a/generated/elasticsearch/component/host.json
+++ b/generated/elasticsearch/component/host.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json
index daff315854..584bdf853a 100644
--- a/generated/elasticsearch/component/http.json
+++ b/generated/elasticsearch/component/http.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json
index 43bf92832c..452ecd5a14 100644
--- a/generated/elasticsearch/component/log.json
+++ b/generated/elasticsearch/component/log.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json
index bb6d172e07..ba58d4e865 100644
--- a/generated/elasticsearch/component/network.json
+++ b/generated/elasticsearch/component/network.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json
index d4be55d415..e8bfd1d513 100644
--- a/generated/elasticsearch/component/observer.json
+++ b/generated/elasticsearch/component/observer.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json
index 8d218314ee..daaf888010 100644
--- a/generated/elasticsearch/component/organization.json
+++ b/generated/elasticsearch/component/organization.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json
index ea843e3323..1f5e74675a 100644
--- a/generated/elasticsearch/component/package.json
+++ b/generated/elasticsearch/component/package.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json
index 42f1df4ba3..4585ee8a0a 100644
--- a/generated/elasticsearch/component/process.json
+++ b/generated/elasticsearch/component/process.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json
index c7daf11d16..17e0bd9c24 100644
--- a/generated/elasticsearch/component/registry.json
+++ b/generated/elasticsearch/component/registry.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json
index 0afe5810bd..a049f8a620 100644
--- a/generated/elasticsearch/component/related.json
+++ b/generated/elasticsearch/component/related.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json
index 65dfd9b1c2..fb90cfda88 100644
--- a/generated/elasticsearch/component/rule.json
+++ b/generated/elasticsearch/component/rule.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json
index d824559d6c..ed76a06082 100644
--- a/generated/elasticsearch/component/server.json
+++ b/generated/elasticsearch/component/server.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json
index 2d9d66dfe2..7a2d6f94c3 100644
--- a/generated/elasticsearch/component/service.json
+++ b/generated/elasticsearch/component/service.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json
index d6b6bd2048..a7c54e0c74 100644
--- a/generated/elasticsearch/component/source.json
+++ b/generated/elasticsearch/component/source.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json
index cdd6f904b5..ac9e924ade 100644
--- a/generated/elasticsearch/component/threat.json
+++ b/generated/elasticsearch/component/threat.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json
index 4621cedde0..d7e2538b35 100644
--- a/generated/elasticsearch/component/tls.json
+++ b/generated/elasticsearch/component/tls.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json
index 12ad11e6fa..266cfd06cc 100644
--- a/generated/elasticsearch/component/tracing.json
+++ b/generated/elasticsearch/component/tracing.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json
index 8b7b56aa0d..b15cfae528 100644
--- a/generated/elasticsearch/component/url.json
+++ b/generated/elasticsearch/component/url.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json
index af3bc6bf2f..62829ab8f0 100644
--- a/generated/elasticsearch/component/user.json
+++ b/generated/elasticsearch/component/user.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json
index be9177da45..63ae4e5a95 100644
--- a/generated/elasticsearch/component/user_agent.json
+++ b/generated/elasticsearch/component/user_agent.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json
index 9de1f1b4e6..01c0415bd0 100644
--- a/generated/elasticsearch/component/vulnerability.json
+++ b/generated/elasticsearch/component/vulnerability.json
@@ -1,7 +1,7 @@
 {
   "_meta": {
     "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "template": {
     "mappings": {
diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json
index 9444d33b52..b08ff9eccf 100644
--- a/generated/elasticsearch/template.json
+++ b/generated/elasticsearch/template.json
@@ -1,43 +1,43 @@
 {
   "_meta": {
     "description": "Sample composable template that includes all ECS fields",
-    "ecs_version": "1.9.0-dev"
+    "ecs_version": "1.9.0"
   },
   "composed_of": [
-    "ecs_1.9.0-dev_agent",
-    "ecs_1.9.0-dev_base",
-    "ecs_1.9.0-dev_client",
-    "ecs_1.9.0-dev_cloud",
-    "ecs_1.9.0-dev_container",
-    "ecs_1.9.0-dev_destination",
-    "ecs_1.9.0-dev_dll",
-    "ecs_1.9.0-dev_dns",
-    "ecs_1.9.0-dev_ecs",
-    "ecs_1.9.0-dev_error",
-    "ecs_1.9.0-dev_event",
-    "ecs_1.9.0-dev_file",
-    "ecs_1.9.0-dev_group",
-    "ecs_1.9.0-dev_host",
-    "ecs_1.9.0-dev_http",
-    "ecs_1.9.0-dev_log",
-    "ecs_1.9.0-dev_network",
-    "ecs_1.9.0-dev_observer",
-    "ecs_1.9.0-dev_organization",
-    "ecs_1.9.0-dev_package",
-    "ecs_1.9.0-dev_process",
-    "ecs_1.9.0-dev_registry",
-    "ecs_1.9.0-dev_related",
-    "ecs_1.9.0-dev_rule",
-    "ecs_1.9.0-dev_server",
-    "ecs_1.9.0-dev_service",
-    "ecs_1.9.0-dev_source",
-    "ecs_1.9.0-dev_threat",
-    "ecs_1.9.0-dev_tls",
-    "ecs_1.9.0-dev_tracing",
-    "ecs_1.9.0-dev_url",
-    "ecs_1.9.0-dev_user",
-    "ecs_1.9.0-dev_user_agent",
-    "ecs_1.9.0-dev_vulnerability"
+    "ecs_1.9.0_agent",
+    "ecs_1.9.0_base",
+    "ecs_1.9.0_client",
+    "ecs_1.9.0_cloud",
+    "ecs_1.9.0_container",
+    "ecs_1.9.0_destination",
+    "ecs_1.9.0_dll",
+    "ecs_1.9.0_dns",
+    "ecs_1.9.0_ecs",
+    "ecs_1.9.0_error",
+    "ecs_1.9.0_event",
+    "ecs_1.9.0_file",
+    "ecs_1.9.0_group",
+    "ecs_1.9.0_host",
+    "ecs_1.9.0_http",
+    "ecs_1.9.0_log",
+    "ecs_1.9.0_network",
+    "ecs_1.9.0_observer",
+    "ecs_1.9.0_organization",
+    "ecs_1.9.0_package",
+    "ecs_1.9.0_process",
+    "ecs_1.9.0_registry",
+    "ecs_1.9.0_related",
+    "ecs_1.9.0_rule",
+    "ecs_1.9.0_server",
+    "ecs_1.9.0_service",
+    "ecs_1.9.0_source",
+    "ecs_1.9.0_threat",
+    "ecs_1.9.0_tls",
+    "ecs_1.9.0_tracing",
+    "ecs_1.9.0_url",
+    "ecs_1.9.0_user",
+    "ecs_1.9.0_user_agent",
+    "ecs_1.9.0_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/version b/version
index b57588e592..f8e233b273 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-1.9.0-dev
+1.9.0

From 6ed7e133555bf15a67f80ad2c2061599f6855fb3 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Tue, 30 Mar 2021 09:58:13 -0500
Subject: [PATCH 90/90] Cut 1.9 changelog (#1328)

* move 1.9 changes to changelog

* add 1.9 release changes

add entry
---
 CHANGELOG.md      | 31 +++++++++++++++++++++++++++++++
 CHANGELOG.next.md | 31 -------------------------------
 2 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index feb711c0e1..83526636a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,37 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.9.0](https://github.com/elastic/ecs/compare/v1.8.0...v1.9.0)
+
+### Schema Changes
+
+#### Added
+
+* Added `hash.ssdeep`. #1169
+* Added `cloud.service.name`. #1204
+* Added `http.request.id`. #1208
+* `data_stream.*` fieldset introduced in experimental schema and artifacts. #1215
+* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
+* Added `beta` host metrics fields. #1248
+* Added `code_signature.team_id`, `code_signature.signing_id`. #1249
+* Extended `pe` fields added to experimental schema. #1256
+* Add `elf` fieldset to experimental schema. #1261
+* Add `threat.indicator` fields to experimental schema. #1268
+
+#### Improvements
+
+* Include formatting guidance and examples for MAC address fields. #456
+* New section in ECS detailing event categorization fields usage. #1242
+* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
+
+### Tooling and Artifact Changes
+
+#### Improvements
+
+* Update Python dependencies #1310, #1318
+* Adjustments to use terminology that doesn't have negative connotation. #1315
+
+
 ## [1.8.0](https://github.com/elastic/ecs/compare/v1.7.0...v1.8.0)
 
 ### Schema Changes
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 77e8540dbc..4c99b1e12d 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -30,37 +30,6 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
-
-## 1.9.0 (Feature Freeze)
-
-### Schema Changes
-
-#### Added
-
-* Added `hash.ssdeep`. #1169
-* Added `cloud.service.name`. #1204
-* Added `http.request.id`. #1208
-* `data_stream.*` fieldset introduced in experimental schema and artifacts. #1215
-* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
-* Added `beta` host metrics fields. #1248
-* Added `code_signature.team_id`, `code_signature.signing_id`. #1249
-* Extended `pe` fields added to experimental schema. #1256
-* Add `elf` fieldset to experimental schema. #1261
-* Add `threat.indicator` fields to experimental schema. #1268
-
-#### Improvements
-
-* Include formatting guidance and examples for MAC address fields. #456
-* New section in ECS detailing event categorization fields usage. #1242
-* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271
-* Update Python dependencies #1310, #1318
-
-### Tooling and Artifact Changes
-
-#### Improvements
-
-* Adjustments to use terminology that doesn't have negative connotation. #1315
-
 <!-- All empty sections:
 
 ## Unreleased